Cette page a été traduite par l'API Cloud Translation.

Collecter les données DNS de Microsoft Windows

Ce document:

Décrit l'architecture de déploiement et les étapes d'installation, ainsi que toute configuration requise qui produit des journaux compatibles avec l'analyseur Chronicle pour les événements DNS Microsoft Windows. Pour une présentation de l'ingestion de données Chronicle, consultez la page Ingestion de données vers Chronicle.
Inclut des informations sur la façon dont l'analyseur mappe les champs du journal d'origine avec les champs Chronicle Unified Data Model.

Les informations contenues dans ce document s'appliquent à l'analyseur associé au libellé d'ingestion WINDOWS_DNS. L'étiquette d'ingestion identifie l'analyseur qui normalise les données de journal brutes au format UDM structuré.

Avant de commencer

Examinez l'architecture de déploiement recommandée.

Le schéma suivant illustre les composants principaux recommandés dans une architecture de déploiement pour collecter et envoyer des événements DNS Microsoft Windows à Chronicle. Comparez ces informations avec votre environnement pour vous assurer que ces composants sont installés. Chaque déploiement de client est différent de cette représentation et peut être plus complexe. Les informations suivantes sont requises:
- Microsoft Windows DNS Server avec l'enregistrement des données de diagnostic DNS activé.
- Tous les systèmes configurés avec le fuseau horaire UTC.
- NXLog installé sur des serveurs Microsoft Windows en cluster pour collecter et transférer les journaux vers le serveur central Microsoft Windows ou Linux.
- Transfert Chronicle installé sur le serveur central de Microsoft Windows ou Linux.
Examinez les appareils et les versions compatibles.

L'analyseur Chronicle est compatible avec les journaux des versions suivantes de Microsoft Windows Server. Microsoft Windows Server est disponible avec les éditions suivantes : Foundation, Essentials, Standard et Datacenter. Le schéma d'événement des journaux générés par chaque édition ne diffère pas.
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012 R2
L'analyseur Chronicle est compatible avec les journaux collectés par NXLog Enterprise Edition.
Examinez les types de journaux compatibles. L'analyseur Chronicle est compatible avec les types de journaux suivants, générés par les serveurs DNS Microsoft Windows. Pour en savoir plus sur ces types de journaux, consultez la documentation Journalisation et diagnostic des connexions DNS de Microsoft Windows. Il est compatible avec les journaux générés en anglais et n'est pas compatible avec les journaux générés dans une langue autre que l'anglais.
- Journaux d'audit: pour obtenir une description de ce type de journal, consultez la documentation Journaux d'audit de Microsoft Windows.
- Journaux Analytics: pour obtenir une description de ce type de journal, consultez la documentation sur les journaux Analytics de Microsoft Windows.
Configurer les serveurs DNS Microsoft Windows Consultez la documentation Microsoft Windows pour en savoir plus sur l'installation et l'activation de la journalisation des diagnostics DNS.
Installer et configurer le serveur Windows ou Linux central
Configurez tous les systèmes avec le fuseau horaire UTC.

Configurer NXLog et le redirecteur Chronicle

Installer NXLog sur chaque serveur DNS Microsoft Windows Suivez la documentation NXLog.

Créez un fichier de configuration pour chaque instance NXLog. Utilisez le module d'entrée im_etw pour l'extraction des journaux d'analyse DNS et le module d'entrée im_msvistalog pour les journaux d'audit.

Pour plus d'informations sur le module d'entrée im_etw, consultez la page Suivi des événements pour Microsoft Windows (im_etw), y compris la documentation sur la configuration de NXLog for Microsoft Windows DNS.
Pour plus d'informations sur le module d'entrée im_msvistalog, consultez la section Journal des événements pour Microsoft Windows 2008/Vista et versions ultérieures (im_msvistalog).

Voici un exemple de configuration NXLog. Remplacez les valeurs <hostname> et <port> par des informations sur le serveur central Microsoft Windows ou Linux. Pour convertir et analyser les journaux au format JSON plutôt qu'au format XML, définissez la ligne Exec to_xml(); sur Exec to_json();. Pour en savoir plus, consultez la documentation NXLog concernant le module om_tcp.

define ROOT C:\Program Files\nxlog
define WINDNS_OUTPUT_DESTINATION_ADDRESS <hostname>
define WINDNS_OUTPUT_DESTINATION_PORT <port>

Moduledir   %ROOT%\modules
CacheDir    %ROOT%\data
Pidfile     %ROOT%\data\nxlog.pid
SpoolDir    %ROOT%\data
LogFile     %ROOT%\data\nxlog.log

<Extension syslog>
    Module      xm_syslog
</Extension>

# To collect XML logs, use the below NXLog module
<Extension xml>
    Module      xm_xml
</Extension>

# To collect JSON logs, use the below NXLog module
<Extension json>
    Module      xm_json
</Extension>

<Input eventlog>
    Module      im_etw
    Provider    Microsoft-Windows-DNSServer
</Input>

<Input auditeventlog>
    Module      im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Microsoft-Windows-DNSServer/Audit">
                <Select Path="Microsoft-Windows-DNSServer/Audit">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

<Output out_chronicle_windns>
    Module      om_tcp
    Host        %WINDNS_OUTPUT_DESTINATION_ADDRESS%
    Port        %WINDNS_OUTPUT_DESTINATION_PORT%
    Exec        $EventTime = integer($EventTime) / 1000;
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
    Exec        to_xml(); # To collect JSON, use to_json()
</Output>

<Route analytical_windns_to_chronicle>
    Path    eventlog => out_chronicle_windns
</Route>

<Route audit_windns_to_chronicle>
    Path    auditeventlog => out_chronicle_windns
</Route>

Installez le redirecteur Chronicle sur le serveur central Microsoft Windows ou Linux. Consultez la page Installer et configurer le redirecteur sous Linux ou Installer et configurer le redirecteur sous Microsoft Windows pour en savoir plus sur l'installation et la configuration du redirecteur.

Configurez le redirecteur Chronicle pour envoyer des journaux à Chronicle. Voici un exemple de configuration de redirecteur.

  - syslog:
      common:
        enabled: true
        data_type: WINDOWS_DNS
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

Documentation de référence sur le mappage de champs: champs de journaux de l'appareil et champs UDM

Cette section décrit comment l'analyseur mappe les champs de journaux d'appareils d'origine avec les champs de modèle de données unifié (UDM).

Champs courants

Champ NXLog	Champ UDM	Commentaire
SourceName	metadata.vendor_name = "Microsoft" metadata.product_name = "Windows DNS Server"
EventID	security_result.rule_name	Stored as "EventID: %{EventID}". In events with Error and Warning level, the field is_alert is set to true.
Severity	security_result.severity	The values are mapped to the UDM field enum as follows: 0 (None) - UNKNOWN_SEVERITY 1 (Critical) - INFORMATIONAL 2 (Error) - ERROR 3 (Warning) - ERROR 4 (Informational) - INFORMATIONAL 5 (Verbose) - INFORMATIONAL
EventTime	metadata.event_timestamp
ExecutionProcessID	principal.process.pid / target.process.pid	Value stored in target.process.pid for the following Event IDs 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280. Value stored in principal.process.pid for all other Event IDs.
Channel	metadata.product_event_type
Hostname	principal.hostname / target.hostname	Value stored in target.hostname for the following Event IDs: 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280. Value stored in principal.hostname from all other Event IDs.
UserID	principal.user.windows_sid / target.user.windows_sid	Stored in target.user.windows_sid for the following Event IDs: 256, 259, 261, 263, 266, 268, 270, 272,273, 275, 278, 279, 280. Stored in principal.user.windows_sid for all other Event IDs

Journaux analytiques

Champ de journal d'origine	Champ UDM	Commentaire
AA	network.dns.authoritative
Destination	target.ip / principal.ip	Populated in either principal and target.
InterfaceIP	target.ip / principal.ip	Stores DNS Server's IP address in target.ip for following Event IDs, 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280. Stored in principal.ip for all other Event IDs (DNS response).
PacketData	network.dns.answers.binary_data
Port	target.port / principal.port
QNAME	network.dns.questions.name
QTYPE	network.dns.questions.type
RCODE	network.dns.response_code
RD	network.dns.recursion_desired
Reason	security_result.summary
Source	principal.ip / target.ip	Source IPv4/IPv6 address of the machine that initiated the DNS request. Stored in target.ip for Event ID 274. Stored in target.ip for Event ID 265 and 269, . InterfaceIP contains the secondary server's IP address (principal) and Source (target) is the primary server's IP address.
TCP	network.ip_protocol
XID	network.dns.id

Journaux d'audit

Champ de journal d'origine	Champ UDM	Remarque
Name	target.resource.name	Value is collected from events with Event ID 512.
Policy	target.resource.name	Value is collected from events with Event ID 577, 578, 579, 580, 581, and 582, which are mapped to the SETTING_* event types.
QNAME	network.dns.questions.name
QTYPE	network.dns.questions.type
RecursionScope	target.resource.name	Value is collected from events with Event IDs mapped to SETTING_* event types.
Scope	target.resource.name	Value is collected from events with Event IDs mapped to SETTING_* event types.
Setting	target.resource.name	Value is collected from events with Event IDs mapped to SETTING_* event types.
Source	principal.ip
Zone	target.resource.name	Value is collected from events with Event IDs mapped to SETTING_* event types.
ZoneScope	target.resource.name	Value is collected from events with Event IDs mapped to SETTING_* event types.

Référence de mappage de champ: ID d'événement vers le type d'événement UDM

Cette section décrit comment l'analyseur mappe les ID d'événement sur les événements event_types. En général, les événements sont mappés sur la valeur "metadata.event_type" de NETWORK_DNS, à l'exception des ID d'événement décrits dans la section suivante.

ID de l'événement	Événement	Type d'événement UDM	Remarques
275	XFR_NOTIFY_ACK_IN: Source=%1; InterfaceIP=%2; PacketData=%4	GENERIC_EVENT
276	IXFR_RESP_OUT: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PacketData=%10	GENERIC_EVENT
512		SETTING_CREATION
513	The zone %1 was deleted.	SETTING_DELETION
514	The zone %1 was updated. The %2 setting has been set to %3.	SETTING_MODIFICATION
515	A resource record of type %1, name %2, TTL %3 and RDATA %5 was created in scope %7 of zone %6.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
516	A resource record of type %1, name %2 and RDATA %5 was deleted from scope %7 of zone %6.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
517	All resource records of type %1, name %2 were deleted from scope %4 of zone %3.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
518	All resource records at Node name %1 were deleted from scope %3 of zone %2.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
519	A resource record of type %1, name %2, TTL %3 and RDATA %5 was created in scope %7 of zone %6 via dynamic update from IP Address %8.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
520	A resource record of type %1, name %2 and RDATA %5 was deleted from scope %7 of zone %6 via dynamic update from IP Address %8.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
521	A resource record of type %1, name %2, TTL %3 and RDATA %5 was scavenged from scope %7 of zone %6.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
522	The scope %1 was created in zone %2.	SETTING_CREATION
523	The scope %1 was deleted in zone %2.	SETTING_DELETION
525	The zone %1 was signed with following properties: DenialOfExistence=%2; DistributeTrustAnchor=%3; DnsKeyRecordSetTtl=%4; DSRecordGenerationAlgorithm=%5; DSRecordSetTtl=%6; EnableRfc5011KeyRollover=%7; IsKeyMasterServer=%8; KeyMasterServer=%9; NSec3HashAlgorithm=%10; NSec3Iterations=%11; NSec3OptOut=%12; NSec3RandomSaltLength=%13; NSec3UserSalt=%14; ParentHasSecureDelegation=%15; PropagationTime=%16; SecureDelegationPollingPeriod=%17; SignatureInceptionOffset=%18.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
526	The zone %1 was unsigned.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
527	The zone %1 was re-signed with following properties: DenialOfExistence=%2; DistributeTrustAnchor=%3; DnsKeyRecordSetTtl=%4; DSRecordGenerationAlgorithm=%5; DSRecordSetTtl=%6; EnableRfc5011KeyRollover=%7; IsKeyMasterServer=%8; KeyMasterServer=%9; NSec3HashAlgorithm=%10; NSec3Iterations=%11; NSec3OptOut=%12; NSec3RandomSaltLength=%13; NSec3UserSalt=%14; ParentHasSecureDelegation=%15; PropagationTime=%16; SecureDelegationPollingPeriod=%17; SignatureInceptionOffset=%18.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
528	Rollover was started on the type %1 with GUID %2 of zone %3.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
529	Rollover was completed on the type %1 with GUID %2 of zone %3.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
530	The type %1 with GUID %2 of zone %3 was marked for retiral. The key will be removed after the rollover completion.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
531	Manual rollover was triggered on the type %1 with GUID %2 of zone %3.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
533	The keys signing key with GUID %1 on zone %2 that was waiting for a Delegation Signer(DS) update on the parent has been forced to move to rollover completion.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
534	DNSSEC setting metadata was exported %1 key signing key metadata from zone %2.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
535	DNSSEC setting metadata was imported on zone %1.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
536	A record of type %1, QNAME %2 was purged from scope %3 in cache.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
537	The forwarder list on scope %2 has been reset to %1.	SETTING_MODIFICATION	target.resource.name is set to "Forwarder list on scope: %{scope_name}"
540	The root hints have been modified.	SETTING_MODIFICATION	target.resource.name populated with text "Root hints"
541	The setting %1 on scope %2 has been set to %3.	SETTING_MODIFICATION
542	The scope %1 of DNS server was created.	SETTING_CREATION
543	The scope %1 of DNS server was deleted.	SETTING_DELETION
544	The DNSKEY with Key Protocol %2, Base64 Data %4 and Crypto Algorithm %5 has been added at the trust point %1.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
545	The DS with Key Tag: %2, Digest Type: %3, Digest: %5 and Crypto Algorithm: %6 has been added at the trust point %1.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
546	The trust point at %1 of type %2 has been removed.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
547	The trust anchor for the root zone has been added.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
548	A request to restart the DNS server service has been received.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
549	The debug logs have been cleared from %1 on DNS server.	SYSTEM_AUDIT_LOG_WIPE
550	The in-memory contents of all the zones on DNS server have been flushed to their respective files.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
551	All the statistical data for the DNS server has been cleared.	SYSTEM_AUDIT_LOG_WIPE
552	A resource record scavenging cycle has been started on the DNS Server.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
553	%1	SYSTEM_AUDIT_LOG_UNCATEGORIZED
554	The resource record scavenging cycle has been terminated on the DNS Server.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
555	The DNS server has been prepared for demotion by removing references to it from all zones stored in the Active Directory.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
556	The information about the root hints on the DNS server has been written back to the persistent storage.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
557	The addresses on which DNS server will listen has been changed to %1.	SETTING_MODIFICATION	target.resource.name populated with text "Listen Addresses"
558	An immediate RFC 5011 active refresh has been scheduled for all trust points.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
559	The zone %1 is paused.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
560	The zone %1 is resumed.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
561	The data for zone %1 has been reloaded from %2.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
562	The data for zone %1 has been refreshed from the master server %2.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
563	The secondary zone %1 has been expired and new data has been requested from the master server %2.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
564	The zone %1 has been reloaded from the Active Directory.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
565	The content of the zone %1 has been written to the disk and the notification has been sent to all the notify servers.	SETTING_MODIFICATION
566	All DNS records at the node %1 in the zone %2 will have their aging time stamp set to the current time.%3	SYSTEM_AUDIT_LOG_UNCATEGORIZED
567	The Active Directory-integrated zone %1 has been updated. Only %2 can run scavenging.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
568	The key master role for zone %1 has been %2.%3	SYSTEM_AUDIT_LOG_UNCATEGORIZED
569	A %1 singing key (%2) descriptor has been added on the zone %3 with following properties: KeyId=%4; KeyType=%5; CurrentState=%6; KeyStorageProvider=%7; StoreKeysInAD=%8; CryptoAlgorithm=%9; KeyLength=%10; DnsKeySignatureValidityPeriod=%11; DSSignatureValidityPeriod=%12; ZoneSignatureValidityPeriod=%13; InitialRolloverOffset=%14; RolloverPeriod=%15; RolloverType=%16; NextRolloverAction=%17; LastRolloverTime=%18; NextRolloverTime=%19; CurrentRolloverStatus=%20; ActiveKey=%21; StandbyKey=%22; NextKey=%23. The zone will be resigned with the %2 generated with these properties.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
570	A %1 singing key (%2) descriptor with GUID %3 has been updated on the zone %4. The properties of this %2 descriptor have been set to: KeyId=%5; KeyType=%6; CurrentState=%7; KeyStorageProvider=%8; StoreKeysInAD=%9; CryptoAlgorithm=%10; KeyLength=%11; DnsKeySignatureValidityPeriod=%12; DSSignatureValidityPeriod=%13; ZoneSignatureValidityPeriod=%14; InitialRolloverOffset=%15; RolloverPeriod=%16; RolloverType=%17; NextRolloverAction=%18; LastRolloverTime=%19; NextRolloverTime=%20; CurrentRolloverStatus=%21; ActiveKey=%22; StandbyKey=%23; NextKey=%24. The zone will be resigned with the %2 generated with these properties.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
571	A %1 singing key (%2) descriptor %4 has been removed from the zone %3.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
572	The state of the %1 signing key (%2) %3 has been modified on zone %4. The new active key is %5, standby key is %6 and next key is %7.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
573	A delegation for %1 in the scope %2 of zone %3 with the name server %4 has been added.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
574	The client subnet record with name %1 value %2 has been added to the client subnet map.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
575	The client subnet record with name %1 has been deleted from the client subnet map.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
576	The client subnet record with name %1 has been updated from the client subnet map. The new client subnets that it refers to are %2.	SYSTEM_AUDIT_LOG_UNCATEGORIZED
577	A server level policy %6 for %1 has been created on server %2 with following properties: ProcessingOrder:%3; Criteria:%4; Action:%5.	SETTING_CREATION
578	A zone level policy %8 for %1 has been created on zone %6 on server %2 with following properties: ProcessingOrder:%3; Criteria:%4; Action:%5; Scopes:%7.	SETTING_CREATION
579	A forwarding policy %6 has been created on server %2 with following properties: ProcessingOrder:%3; Criteria:%4; Action:%5; Scope:%1.	SETTING_CREATION
580	The server level policy %1 has been deleted from server %2.	SETTING_DELETION
581	The zone level policy %1 has been deleted from zone %3 on server %2.	SETTING_DELETION
582	The forwarding policy %1 has been deleted from server %2.	SETTING_DELETION