Description:
In addition to mail analysis I decided to fill Elastic with DNS data, for this purpose I found powerful software - passivedns. It intercepts DNS traffic and transmits requests to syslog.
Example:
Configurations:
passivedns:
passivedns -D -i eth0.2 -d , -p /var/run/passivedns/passivedns.pid -l /var/log/passivedns/passivedns.log -L /var/log/passivedns/nxdomain.log -y -Y -C 1 -P 1 -X 46CDNOLFIPRSTMndHfsxoryetaz -u passivedns -g passivedns
rsyslog:
template(name="passivedns" type="list" option.json="on") {
constant(value="{")
constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"src\":\"") property(name="msg" field.delimiter="44" field.number="2" )
constant(value="\",\"dst\":\"") property(name="msg" field.delimiter="44" field.number="3" )
constant(value="\",\"type\":\"") property(name="msg" field.delimiter="44" field.number="6" )
constant(value="\",\"result\":\"") property(name="msg" field.delimiter="44" field.number="7" caseconversion="lower" )
constant(value="\",\"hostname\":\"") property(name="msg" field.delimiter="44" field.number="5" caseconversion="lower" )
constant(value="\"}")
}
ruleset(name="dns") {
action(type="omelasticsearch"
server="elastic.livelace.ru"
serverport="9200"
template="passivedns"
searchIndex="dns"
searchType="queries"
queue.type="disk"
queue.size="10000000"
queue.filename="dns"
queue.maxdiskspace="5g"
queue.saveonshutdown="on"
action.resumeretrycount="-1"
)
}
elasticsearch:
curl -XPUT http://elastic.livelace.ru:9200/dns -d '
{
"mappings": {
"_default_": {
"properties": {
"type": {
"type": "string"
},
"timestamp": {
"format": "strict_date_optional_time||epoch_millis",
"type": "date"
},
"src": {
"type": "string"
},
"hostname": {
"type": "string",
"index" : "not_analyzed",
"doc_values" : true,
"ignore_above" : 256
},
"dst": {
"type": "string"
}
}
}
}
}
';