Collect BlueCat DDI logs

Supported in:

This parser handles both LEEF and non-LEEF formatted syslog messages from Bluecat DDI (DNS, DHCP, IPAM). It extracts fields from various log types (for example, named, dhcpd, audit, and CRON) using grok patterns and conditional logic, mapping them to the UDM based on the log type and populating DNS, DHCP, or user-related fields accordingly.

Before you begin

  • Ensure that you have a Google Security Operations instance.
  • Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
  • If running behind a proxy, ensure firewall ports are open.
  • Ensure that you have privileged access to Bluecat.

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install BindPlane Agent

  1. For Windows installation, run the following script:
    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
  2. For Linux installation, run the following script:
    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
  3. Additional installation options can be found in this installation guide.

Configure BindPlane Agent to ingest Syslog and send to Google SecOps

  1. Access the machine where BindPlane is installed.
  2. Edit the config.yaml file as follows:

    receivers:
        tcplog:
            # Replace the below port <54525> and IP <0.0.0.0> with your specific values
            listen_address: "0.0.0.0:54525" 
    
    exporters:
        chronicle/chronicle_w_labels:
            compression: gzip
            # Adjust the creds location below according the placement of the credentials file you downloaded
            creds: '{ json file for creds }'
            # Replace <customer_id> below with your actual ID that you copied
            customer_id: <customer_id>
            endpoint: malachiteingestion-pa.googleapis.com
            # You can apply ingestion labels below as preferred
            ingestion_labels:
            log_type: SYSLOG
            namespace: bluceat_ddi
            raw_log_field: body
    service:
        pipelines:
            logs/source0__chronicle_w_labels-0:
                receivers:
                    - tcplog
                exporters:
                    - chronicle/chronicle_w_labels
    
  3. Restart the BindPlane Agent to apply the changes:

    sudo systemctl restart bindplane
    

Configure Syslog on Bluecat DDI

  1. Sign in to the Bluecat Address Manager (BAM).
  2. From the configuration menu, select a configuration.
  3. Select the Servers tab.
  4. Under Servers, click the name of a BDDS.
  5. The Details tab for the server should open.
  6. Click the server name menu.
  7. Select Service Configuration.
  8. Click Service Type > Syslog (the Address Manager queries the server and returns the current values).
  9. In General, set the following values:
    • Syslog Server: the IP address of your Syslog server (Bindplane).
    • Syslog Port: the port of your Syslog server (Bindplane).
    • Syslog Transport: select either TCP or UDP (depending on your Bindplane configuration).
  10. Click Add.
    • The newly added syslog server will appear in the list.
  11. Click Update.

Configure Syslog Settings in BlueCat DDI

  1. Sign in to the BlueCat Address Manager.
  2. Go to Configuration > System Settings > Logging.
  3. In the Logging Settings, locate the Syslog Servers section.
  4. Click Add Syslog Server.
  5. Provide the required values:
    • Server Name: a unique name for the syslog server (for example, BindplaneServer).
    • IP Address: the IP address or hostname of the syslog server.
    • Protocol: select TCP, UDP (default), or TLS (based on your syslog configuration).
    • Port: specify the port for syslog communication (default: 514 for UDP/TCP, 6514 for TLS).
  6. Configure Logging Level. Choose the appropriate level based on your needs. Options include:
    • Emergency: critical issues that require immediate attention
    • Alert: alerts that need prompt action
    • Critical: critical conditions
    • Error: error events
    • Warning: warning events
    • Notice: normal but significant events
    • Info: informational messages
    • Debug: detailed debug information
  7. Optional: Add a custom Syslog facility to categorize logs (for example, local0 or local1).
  8. Save the configuration.

Apply Syslog Settings to DDI Appliances

  1. Navigate to Servers > Manage Servers.
  2. Select the DNS/DHCP servers where the syslog should be enabled.
  3. Click Edit Server.
  4. In the Logging section:
    • Select the syslog server you configured earlier.
    • Enable logging for specific services (For example, DNS queries or DHCP leases).
    • Save the changes.

UDM Mapping Table

Log field UDM mapping Logic
client_ip network.dhcp.ciaddr Extracted from the DHCPREQUEST message. Only populated for DHCPREQUEST messages.
client_mac principal.mac Extracted from DHCP messages (DHCPDISCOVER, DHCPREQUEST, DHCPRELEASE).
client_mac target.mac Extracted from DHCP messages (DHCPOFFER, DHCPNAK).
client_mac network.dhcp.chaddr Extracted from DHCP messages (DHCPREQUEST, DHCPOFFER, DHCPACK, DHCPNAK, DHCPRELEASE).
cmd target.process.command_line Extracted from CRON logs. Ampersands and spaces are removed.
description metadata.description Extracted from various log types, providing additional context.
description metadata.description Extracted from syslog-ng logs, providing additional context.
file_path target.file.full_path Extracted from various log types, representing the full path to a file.
file_path target.process.file.full_path Extracted from agetty logs, representing the full path to a file related to a process.
inner_message metadata.description Used as the description for GENERIC_EVENTs when the operation type is not defined and for MEM-MON logs.
metadata.event_type Determined by the parser based on the log type and content. Possible values include: NETWORK_DNS, NETWORK_DHCP, USER_LOGIN, USER_LOGOUT, USER_UNCATEGORIZED, GENERIC_EVENT, STATUS_UPDATE, NETWORK_CONNECTION. Always "BLUECAT_DDI".
metadata.vendor_name Always "Bluecat Networks".
metadata.product_name Always "Bluecat DDI".
metadata.event_timestamp Copied from the parsed timestamp of the log entry.
network.protocol Set to "DNS" for DNS logs, "DHCP" for DHCP logs.
network.dns.answers An array containing answer records. The data field within answers is populated with the target_ip if present.
network.dns.questions An array containing question records. The name field is populated with the target_host, the type field is derived from the query_type or question_type fields, and the class field is derived from the qclass field.
network.dns.recursive Set to "true" if the rec_flag is "+".
qclass network.dns.questions.class Extracted from DNS query logs and mapped to an integer value using the dns_query_class_mapping.include file.
query_type network.dns.questions.type Extracted from DNS query logs and mapped to an integer value using the dhcp_qtype_mapping.include file.
relay_ip intermediary.ip Extracted from DNS and DHCP logs, representing the IP address of a relay or intermediary server.
server_host target.hostname Extracted from various log types, representing the hostname of the server.
server_host network.dhcp.sname Extracted from DHCP logs, representing the server host name.
server_host principal.hostname Extracted from systemd, agetty, and some audit logs, representing the hostname of the principal.
server_ip target.ip Extracted from LEEF formatted logs, representing the IP address of the server.
src_ip principal.ip Extracted from various log types, representing the source IP address.
src_ip network.dhcp.yiaddr Used in DHCPINFORM messages to populate the yiaddr field.
src_port principal.port Extracted from various log types, representing the source port.
src_user principal.user.userid Extracted from CRON and audit logs, representing the user ID.
target_host target.hostname Extracted from various log types, representing the target hostname.
target_host network.dns.questions.name Used in DNS logs to populate the question name.
target_ip target.ip Extracted from various log types, representing the target IP address.
target_ip network.dhcp.ciaddr Used in BOOTREQUEST messages to populate the ciaddr field.
target_ip network.dns.answers.data Used in DNS logs to populate the answer data.
tgt_port target.port Extracted from syslog-ng logs, representing the target port.

Changes

2022-11-08

  • Added grok for newly ingested logs for log_type - "agetty", "syslog-ng", "systemd".
  • Added grok pattern for log_type - "named", "systemd", "CRON", "agetty", "syslog-ng" and its respective mappings for the fields in the log_type mentioned above.

2022-09-01

  • Modified event_type from "GENERIC_EVENT" to "USER_UNCATEGORIZED" to reduce generic percentage.

2022-08-16

  • Added UDM mapping
  • metadata.vendor_name to "Bluecat Networks"
  • metadata.product_name to "Bluecat DDI"

2022-05-05

  • Added checks for query_type field.