DNS

[SIIL IT]

We have installed the agent on some Linux servers that are running bind and added them to a group which has the below in the agent.conf

    <localfile>
        <location>/var/log/bind/misc.log</location>
        <log_format>syslog</log_format>
    </localfile>
    <localfile>
        <location>/var/log/bind/query.log</location>
        <log_format>syslog</log_format>
    </localfile>

I'm not seeing the bind logs displaying within the wazuh dashboard? What else do I need to do?

[Abdullah Al Rafi Fahim]

Hello,

Thank you for sharing your query with us.

Adding these <localfile> configuration will purse the logs from these location defined and send them to the wazuh manager. However, to generate alerts, these logs need to be decoded by the decoders and trigger rules present in your wazuh manager. 

First, you can verify that the expected logs are coming to the manager checking the /var/ossec/logs/archives/archives.log and  /var/ossec/logs/archives/archives.json files like these:

cat  /var/ossec/logs/archives/archives.log | grep " /var/log/bind/query.log"

cat  /var/ossec/logs/archives/archives.log | grep " /var/log/bind/misc.log"

Please ensure that archives are enabled in you manager's ossec.conf with logall and logall_json to be set yes. The configuration should be like:

<logall>yes</logall>

<logall_json>yes</logall_json>

Secondly, if the logs are coming to the manager, you need to check if they are being decoded properly and triggering rules or not. You can can do it using the wazuh-logtest feature in Wazuh manager. You will find more information about this here: How it works - Wazuh-Logtest · Wazuh documentation 

Third, if this logs are not being decoded or not triggering any rules, you need to create custom decoders and rules for them to generate alerts. You can review the following documents to learn more about custom rules and decoders.

Creating decoders and rules from scratch · Wazuh · The Open Source Security Platform

Custom rules and decoders - Ruleset · Wazuh documentation

Decoders Syntax - Ruleset XML syntax · Wazuh documentation

Rules Syntax - Ruleset XML syntax · Wazuh documentation

Regular Expression Syntax - Ruleset XML syntax · Wazuh documentation

I hope it helps. Please let us know if you have any further query regarding this.

[SIIL IT]

Thanks for that info Abdulla. Unfortunately, I'm failing in the first part.
I've edited the ossec.conf to change the "logall" & "logall_json" to "yes" and restarted the services across the master and worker servers.
One end system has the localfile settings set at the group level agent.conf while the other has the entries added within the ossec_config section (with the other localfile entries) of the ossec.conf.
If I "cat" the archives.log I'm not seeing anything there from either of the servers related to the bind logs!

[SIIL IT]

I've got data this morning (finally)! 
It's not triggering a decoder so I've got my work cut out for me figuring that out. The inbuilt "named" decoder and ruleset aren't working on these logs so it looks like I'm going to need to create a new decoder at least!
One question, if I do create a new decoder file and ruleset, do I only need them on the master server or do I need to copy to the other workers too?

[SIIL IT]

I see my problem......

If I look in syslog, I can see events like 
Oct 11 09:22:16 ns3 named[443]: command channel listening on 127.0.0.1#953

If I run this through logtest, it will decode ok and give good results for phase 1, 2 , & 3

The misc and query logs are different as they don't include the service. I'm seeing log entries similar to
31-Oct-2022 08:11:49.002 general: info: zone.... 
31-Oct-2022 08:14:52.613 xfer-in: info: zone
31-Oct-2022 08:26:32.297 query-errors: info: client
31-Oct-2022 09:55:12.075 client @0x7f428415d0d0 

What will be the best way to setup the decoder or do I need to change the log format type for these logs?

[Abdullah Al Rafi Fahim]

Hello,

I am happy to know that the logs are coming to the manager properly. To prepare the custom decoders and rules, you only have to create them in the master node and these will be automatically replicated to the worker nodes. However, the worker nodes must also be restarted manually in order to apply the received configuration.

As your log format is different than syslog, you can utilize the <out_format> setting in the <localfile> configuration which will allow you to change the log format. I am just sharing an example to provide you idea about this:

     <localfile>

        <location>/var/log/bind/query.log</location>
        <log_format>syslog</log_format>

         <out_format>$(timestamp) $(hostname) bind_query: $(log)</out_format>
    </localfile>

It will add the RFC3164 format timestamp, hostname and program name (bind_query) before the log and make it look like a syslog. You can learn more about out_format here: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#out-format 

I hope it helps. Please let us know if you need any further support.

[Gokul Suresh]

Hello,

Can I get a proper way to integrate BIND dns logs with wazuh. I have seen certain things here and there , but did not get a proper way to integrate and seen someone successfull.

Can I get help.