Collecting the LOGs from our DNS and DHCP server in Elasticsearch and visualizing them in Grafana

Print Friendly, PDF & Email

How unoriginal I am for short titles… Well, if you have your own DNS server or DHCP server, This is your post 😉 We're not really going to get it through logs, we will do this by auditing your traffic 😉 We will audit the requests generated by the DNS service, or DHCP to view it in Grafana!

If we want to know the requests received by our DNS or DHCP server in order to be able to visualize them in Grafana to make queries or arrange them in rotating dashboards… where it helps us to know the correct or not functioning of the same services, as well as to know in the case of the DNS the destination requests, Who performs them… In the case of DHCP, the petitions… Other types of traffic can be analyzed, of course, HTTP, MySQL, PostgreSQL… and thus know the queries that are made…

How do we assemble it? We assume that we already have a functional ELK and a Grafana, we will rely on Packetbeat to analyze the traffic of a given machine, then we will send it to Elasticsearch and with a Grafana Datasource we will be able to make the queries we need.

On Windows, We must install on the machine NPCAP previously, by only checking 'Install Npcap in WinPcap API-compatible Mode'. We continue and finish with the installation of Packetbeat.

Once we have packetbeat downloaded and uncompressed, We'll set it up, as usual, your 'packetbeat.yml' configuration file.

...
setup.template.settings:
  index.number_of_shards: 1
setup.template.name: "packetbeat"
setup.template.pattern: "packetbeat-*"
setup.ilm.enabled: False
...
setup.kibana:
  host: "https://DIRECCION_IP_KIBANA:5601"
  ssl.verification_mode: none
...
output.elasticsearch:
  # Array of hosts to connect to.
  Hosts: ["https://DIRECCION_IP_ELASTIC:9200"]
  ssl.verification_mode: none username: "XXXXXXXX"
  password: "XXXXXXXX*"
  index: "packetbeat-%{+yyyy. MM.dd}"
...

And, In the same configuration file we will need to indicate which records we are interested in auditing:

...
# =========================== Transaction protocols ============================ packetbeat.protocols:
- type: icmp
  # Enable ICMPv4 and ICMPv6 monitoring. The default is true.
  enabled: False

- type: amqp
  # Configure the ports where to listen for AMQP traffic. You can disable
  # the AMQP protocol by commenting out the list of ports.
  ports: [5672]
  enabled: False

- type: cassandra
  # Configure the ports where to listen for Cassandra traffic. You can disable
  # the Cassandra protocol by commenting out the list of ports.
  ports: [9042]
  enabled: False

- type: dhcpv4
  # Configure the DHCP for IPv4 ports.
  ports: [67, 68]

- type: DNS
  # Configure the ports where to listen for DNS traffic. You can disable
  # the DNS protocol by commenting out the list of ports.
  ports: [53]

- type: HTTP
  # Configure the ports where to listen for HTTP traffic. You can disable
  # the HTTP protocol by commenting out the list of ports.
  ports: [80, 8080, 8000, 5000, 8002]
  enabled: False
...

Una vez configurado, We install the service:

cd '.\Program Files\packetbeat\'
.\install-service-packetbeat.ps1

Validamos la configuración, cargamos la config y arrancamos el servicio:

.\packetbeat.exe test config -c .\packetbeat.yml -e
.\packetbeat.exe setup
Start-Service packetbeat

Note, para que use menos CPU, debemos filtrar sólo los protocolos que nos interesen, In addition, en el parámetro ‘packetbeat.interfaces.deviceponerle el ID de la tarjeta de red a auditar, para saber que ID, en una consola de terminal ejecutamos: ‘packetbeat devices’:

packetbeat devices
0: \Device\NPF_{AB47E8CD-2692-4320-A188-FFE1191EDFDC} (Adaptador Ethernet vmxnet3) (fe80::70ef:a48d:29b2:3677 192.168.1.100)
1: \Device\NPF_Loopback (Adapter for loopback traffic capture) (Not assigned ip address)

Podremos ir a comprobar desde Kibana si ya estamos recopilando los eventos de Auditbeat, deberemos crear el índice como de costumbre.

And then, desde Grafana crearemos un Data Source contra este índice de Elasticsearch y podremos comenzar a crear. A poder ser algo más bonito que lo mío. Un panel, de un vistazo se ven las consultas DNS, origin, destiny, top de clientes, top de destinosy más o menos lo mismo con el DHCP.

Estoy seguro que mejoráis mi dashboard en menos de lo que canta un gallo, podemos poner otro tipo de paneles, estos son los típicos de quesito, Graphic, sankey

Para poder luego hacer filtros y búsquedas DNS por IP de origen, sitio de destino

Otra manera de ver el DHCP… And yes… veo que tengo una Raspberry Pi que tiene problemas con el Wifi, debe tener un transformador cutre con bajo voltaje

But, well, en un entorno con más datos, o datos más reales podéis visualizarlo de una manera más atractiva. Come, no me alargo, espero que os sirva de inspiración si necesitáis recoger los datos de vuestro servidor DNS o servidor DHCP.

A hug to tod@s!

Recommended Posts

FortiGate metrics with Prometheus and Grafana
Read
Rules and alerts with ElastAlert 2
Read
Windows metrics with Prometheus and Grafana
Read
Ping metrics with Prometheus and Grafana
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

Monitoring a cluster from Centreon

25 de October de 2022

Reading the home water meter with ESPHome and Home Assistant

8 November 2022