Collecter les données DNS Microsoft Windows
Ce document:
- Décrit l'architecture de déploiement et les étapes d'installation, ainsi que toute configuration requise qui génère des journaux compatibles avec l'analyseur Chronicle pour les événements DNS Windows Microsoft. Pour en savoir plus sur l'ingestion de données Chronicle, consultez la page Ingestion de données vers Chronicle.
- Inclut des informations sur la manière dont l'analyseur mappe les champs du journal d'origine sur les champs Chronicle Unified Data Model.
Les informations contenues dans ce document s'appliquent à l'analyseur portant le libellé d'ingestion WINDOWS_DNS. L'étiquette d'ingestion identifie l'analyseur qui normalise les données de journaux brutes au format UDM structuré.
Avant de commencer
Examinez l'architecture de déploiement recommandée.
Le schéma suivant illustre les composants principaux recommandés dans une architecture de déploiement pour collecter et envoyer des événements DNS Microsoft Windows à Chronicle. Comparez ces informations avec votre environnement pour vous assurer que ces composants sont installés. Chaque déploiement client sera différent de cette représentation et pourra être plus complexe. Les informations suivantes sont obligatoires:
- Microsoft Windows DNS Server avec journalisation des diagnostics DNS activée.
- Tous les systèmes configurés avec le fuseau horaire UTC
- NXLog installé sur des serveurs Microsoft Windows en cluster pour collecter et transférer les journaux vers le serveur Microsoft Windows ou Linux central.
- Redirection de Chronicle installée sur le serveur Microsoft Windows ou Linux central.
Examinez les appareils et les versions compatibles.
L'analyseur Chronicle est compatible avec les journaux des versions suivantes de Microsoft Windows Server. Microsoft Windows Server est publié avec les éditions suivantes : Foundation, Essentials, Standard et Datacenter. Le schéma d'événement des journaux générés par chaque édition ne diffère pas.
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012 R2
L'analyseur Chronicle est compatible avec les journaux collectés par NXLog Enterprise.
Examinez les types de journaux compatibles. L'analyseur Chronicle est compatible avec les types de journaux suivants, générés par les serveurs DNS Microsoft Windows. Pour en savoir plus sur ces types de journaux, consultez la documentation Journalisation et diagnostic DNS de Microsoft Windows. Il est compatible avec les journaux générés en anglais et non avec les journaux générés dans une langue autre que l'anglais.
- Journaux d'audit: pour obtenir une description de ce type de journal, consultez la documentation sur les journaux d'audit Microsoft Windows.
- Journaux Analytics: pour obtenir une description de ce type de journal, consultez la documentation Journaux Analytics de Microsoft Windows.
Configurez les serveurs DNS Microsoft Windows. Consultez la documentation Microsoft Windows pour en savoir plus sur l'installation et l'activation de la journalisation des diagnostics DNS.
Installer et configurer le serveur central Windows ou Linux
Configurez tous les systèmes avec le fuseau horaire UTC.
Configurer le redirecteur NXLog et Chronicle
- Installer NXLog sur chaque serveur DNS Microsoft Windows Suivez la documentation NXLog.
Créez un fichier de configuration pour chaque instance NXLog. Utilisez le module d'entrée im_etw pour extraire les journaux d'analyse DNS et le module d'entrée im_msvistalog pour les journaux d'audit.
- Pour en savoir plus sur le module d'entrée im_etw, consultez la section Tracer les événements pour Microsoft Windows (im_etw), y compris sur la configuration de NXLog for Microsoft Windows DNS.
- Pour en savoir plus sur le module d'entrée im_msvistalog, consultez la section Journal des événements pour Microsoft Windows 2008/Vista et versions ultérieures (im_msvistalog).
Voici un exemple de configuration NXLog. Remplacez les valeurs
<hostname>et<port>par des informations sur le serveur Microsoft Windows ou Linux central. Pour convertir et analyser les journaux au format JSON plutôt qu'en XML, remplacez la ligneExec to_xml();parExec to_json();. Pour en savoir plus, consultez la documentation NXLog concernant le module om_tcp.define ROOT C:\Program Files\nxlog define WINDNS_OUTPUT_DESTINATION_ADDRESS <hostname> define WINDNS_OUTPUT_DESTINATION_PORT <port> Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> # To collect XML logs, use the below NXLog module <Extension xml> Module xm_xml </Extension> # To collect JSON logs, use the below NXLog module <Extension json> Module xm_json </Extension> <Input eventlog> Module im_etw Provider Microsoft-Windows-DNSServer </Input> <Input auditeventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="Microsoft-Windows-DNSServer/Audit"> <Select Path="Microsoft-Windows-DNSServer/Audit">*</Select> </Query> </QueryList> </QueryXML> </Input> <Output out_chronicle_windns> Module om_tcp Host %WINDNS_OUTPUT_DESTINATION_ADDRESS% Port %WINDNS_OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_xml(); # To collect JSON, use to_json() </Output> <Route analytical_windns_to_chronicle> Path eventlog => out_chronicle_windns </Route> <Route audit_windns_to_chronicle> Path auditeventlog => out_chronicle_windns </Route>Installez le redirecteur Chronicle sur le serveur Microsoft Windows ou Linux central. Consultez Installer et configurer le redirecteur sous Linux ou Installer et configurer le redirecteur sous Microsoft Windows pour en savoir plus sur l'installation et la configuration du redirecteur.
Configurez le redirecteur Chronicle pour qu'il envoie les journaux à Chronicle. Voici un exemple de configuration de redirecteur.
- syslog: common: enabled: true data_type: WINDOWS_DNS batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
Référence du mappage de champs: champs de journal d'appareil vers champs UDM
Cette section décrit comment l'analyseur mappe les champs de journaux d'appareils d'origine avec les champs UDM (Unified Data Model).
Champs courants
| Champ NXLog | Champ UDM | Commentaire |
|---|---|---|
| SourceName | metadata.vendor_name = "Microsoft" metadata.product_name = "Windows DNS Server" |
|
| EventID | security_result.rule_name | Stored as "EventID: %{EventID}". In events with Error and Warning level, the field is_alert is set to true. |
| Severity | security_result.severity | The values are mapped to the UDM field enum as follows: 0 (None) - UNKNOWN_SEVERITY 1 (Critical) - INFORMATIONAL 2 (Error) - ERROR 3 (Warning) - ERROR 4 (Informational) - INFORMATIONAL 5 (Verbose) - INFORMATIONAL |
| EventTime | metadata.event_timestamp | |
| ExecutionProcessID | principal.process.pid / target.process.pid | Value stored in target.process.pid for the following Event IDs 256, 259,
261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280. Value stored in principal.process.pid for all other Event IDs. |
| Channel | metadata.product_event_type | |
| Hostname | principal.hostname / target.hostname | Value stored in target.hostname for the following Event IDs: 256, 259, 261,
263, 266, 268, 270, 272, 273, 275, 278, 279, 280. Value stored in principal.hostname from all other Event IDs. |
| UserID | principal.user.windows_sid / target.user.windows_sid | Stored in target.user.windows_sid for the following Event IDs: 256, 259,
261, 263, 266, 268, 270, 272,273, 275, 278, 279, 280. Stored in principal.user.windows_sid for all other Event IDs |
Journaux analytiques
| Champ de journal d'origine | Champ UDM | Commentaire |
|---|---|---|
| AA | network.dns.authoritative | |
| Destination | target.ip / principal.ip | Populated in either principal and target. |
| InterfaceIP | target.ip / principal.ip | Stores DNS Server's IP address in target.ip for following Event IDs, 256,
259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280. Stored in principal.ip for all other Event IDs (DNS response). |
| PacketData | network.dns.answers.binary_data | |
| Port | target.port / principal.port | |
| QNAME | network.dns.questions.name | |
| QTYPE | network.dns.questions.type | |
| RCODE | network.dns.response_code | |
| RD | network.dns.recursion_desired | |
| Reason | security_result.summary | |
| Source | principal.ip / target.ip | Source IPv4/IPv6 address of the machine that initiated the DNS request. Stored in target.ip for Event ID 274. Stored in target.ip for Event ID 265 and 269, . InterfaceIP contains the secondary server's IP address (principal) and Source (target) is the primary server's IP address. |
| TCP | network.ip_protocol | |
| XID | network.dns.id |
Journaux d'audit
| Champ de journal d'origine | Champ UDM | Remarque |
|---|---|---|
| Name | target.resource.name | Value is collected from events with Event ID 512. |
| Policy | target.resource.name | Value is collected from events with Event ID 577, 578, 579, 580, 581, and 582, which are mapped to the SETTING_* event types. |
| QNAME | network.dns.questions.name | |
| QTYPE | network.dns.questions.type | |
| RecursionScope | target.resource.name | Value is collected from events with Event IDs mapped to SETTING_* event types. |
| Scope | target.resource.name | Value is collected from events with Event IDs mapped to SETTING_* event types. |
| Setting | target.resource.name | Value is collected from events with Event IDs mapped to SETTING_* event types. |
| Source | principal.ip | |
| Zone | target.resource.name | Value is collected from events with Event IDs mapped to SETTING_* event types. |
| ZoneScope | target.resource.name | Value is collected from events with Event IDs mapped to SETTING_* event types. |
Référence de mappage de champ: ID d'événement vers type d'événement UDM
Cette section décrit comment l'analyseur mappe les ID d'événement sur les événements Event_types. En général, les événements sont mappés à "network_DNS metadata.event_type", sauf pour les ID d'événement présentés dans la section suivante.
| ID d'événement | Texte de l'événement | Type d'événement UDM | Remarques |
|---|---|---|---|
| 275 | XFR_NOTIFY_ACK_IN: Source=%1; InterfaceIP=%2; PacketData=%4 | GENERIC_EVENT | |
| 276 | IXFR_RESP_OUT: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PacketData=%10 | GENERIC_EVENT | |
| 512 | SETTING_CREATION | ||
| 513 | The zone %1 was deleted. | SETTING_DELETION | |
| 514 | The zone %1 was updated. The %2 setting has been set to %3. | SETTING_MODIFICATION | |
| 515 | A resource record of type %1, name %2, TTL %3 and RDATA %5 was created in scope %7 of zone %6. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 516 | A resource record of type %1, name %2 and RDATA %5 was deleted from scope %7 of zone %6. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 517 | All resource records of type %1, name %2 were deleted from scope %4 of zone %3. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 518 | All resource records at Node name %1 were deleted from scope %3 of zone %2. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 519 | A resource record of type %1, name %2, TTL %3 and RDATA %5 was created in scope %7 of zone %6 via dynamic update from IP Address %8. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 520 | A resource record of type %1, name %2 and RDATA %5 was deleted from scope %7 of zone %6 via dynamic update from IP Address %8. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 521 | A resource record of type %1, name %2, TTL %3 and RDATA %5 was scavenged from scope %7 of zone %6. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 522 | The scope %1 was created in zone %2. | SETTING_CREATION | |
| 523 | The scope %1 was deleted in zone %2. | SETTING_DELETION | |
| 525 | The zone %1 was signed with following properties: DenialOfExistence=%2; DistributeTrustAnchor=%3; DnsKeyRecordSetTtl=%4; DSRecordGenerationAlgorithm=%5; DSRecordSetTtl=%6; EnableRfc5011KeyRollover=%7; IsKeyMasterServer=%8; KeyMasterServer=%9; NSec3HashAlgorithm=%10; NSec3Iterations=%11; NSec3OptOut=%12; NSec3RandomSaltLength=%13; NSec3UserSalt=%14; ParentHasSecureDelegation=%15; PropagationTime=%16; SecureDelegationPollingPeriod=%17; SignatureInceptionOffset=%18. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 526 | The zone %1 was unsigned. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 527 | The zone %1 was re-signed with following properties: DenialOfExistence=%2; DistributeTrustAnchor=%3; DnsKeyRecordSetTtl=%4; DSRecordGenerationAlgorithm=%5; DSRecordSetTtl=%6; EnableRfc5011KeyRollover=%7; IsKeyMasterServer=%8; KeyMasterServer=%9; NSec3HashAlgorithm=%10; NSec3Iterations=%11; NSec3OptOut=%12; NSec3RandomSaltLength=%13; NSec3UserSalt=%14; ParentHasSecureDelegation=%15; PropagationTime=%16; SecureDelegationPollingPeriod=%17; SignatureInceptionOffset=%18. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 528 | Rollover was started on the type %1 with GUID %2 of zone %3. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 529 | Rollover was completed on the type %1 with GUID %2 of zone %3. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 530 | The type %1 with GUID %2 of zone %3 was marked for retiral. The key will be removed after the rollover completion. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 531 | Manual rollover was triggered on the type %1 with GUID %2 of zone %3. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 533 | The keys signing key with GUID %1 on zone %2 that was waiting for a Delegation Signer(DS) update on the parent has been forced to move to rollover completion. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 534 | DNSSEC setting metadata was exported %1 key signing key metadata from zone %2. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 535 | DNSSEC setting metadata was imported on zone %1. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 536 | A record of type %1, QNAME %2 was purged from scope %3 in cache. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 537 | The forwarder list on scope %2 has been reset to %1. | SETTING_MODIFICATION | target.resource.name is set to "Forwarder list on scope: %{scope_name}" |
| 540 | The root hints have been modified. | SETTING_MODIFICATION | target.resource.name populated with text "Root hints" |
| 541 | The setting %1 on scope %2 has been set to %3. | SETTING_MODIFICATION | |
| 542 | The scope %1 of DNS server was created. | SETTING_CREATION | |
| 543 | The scope %1 of DNS server was deleted. | SETTING_DELETION | |
| 544 | The DNSKEY with Key Protocol %2, Base64 Data %4 and Crypto Algorithm %5 has been added at the trust point %1. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 545 | The DS with Key Tag: %2, Digest Type: %3, Digest: %5 and Crypto Algorithm: %6 has been added at the trust point %1. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 546 | The trust point at %1 of type %2 has been removed. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 547 | The trust anchor for the root zone has been added. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 548 | A request to restart the DNS server service has been received. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 549 | The debug logs have been cleared from %1 on DNS server. | SYSTEM_AUDIT_LOG_WIPE | |
| 550 | The in-memory contents of all the zones on DNS server have been flushed to their respective files. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 551 | All the statistical data for the DNS server has been cleared. | SYSTEM_AUDIT_LOG_WIPE | |
| 552 | A resource record scavenging cycle has been started on the DNS Server. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 553 | %1 | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 554 | The resource record scavenging cycle has been terminated on the DNS Server. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 555 | The DNS server has been prepared for demotion by removing references to it from all zones stored in the Active Directory. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 556 | The information about the root hints on the DNS server has been written back to the persistent storage. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 557 | The addresses on which DNS server will listen has been changed to %1. | SETTING_MODIFICATION | target.resource.name populated with text "Listen Addresses" |
| 558 | An immediate RFC 5011 active refresh has been scheduled for all trust points. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 559 | The zone %1 is paused. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 560 | The zone %1 is resumed. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 561 | The data for zone %1 has been reloaded from %2. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 562 | The data for zone %1 has been refreshed from the master server %2. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 563 | The secondary zone %1 has been expired and new data has been requested from the master server %2. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 564 | The zone %1 has been reloaded from the Active Directory. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 565 | The content of the zone %1 has been written to the disk and the notification has been sent to all the notify servers. | SETTING_MODIFICATION | |
| 566 | All DNS records at the node %1 in the zone %2 will have their aging time stamp set to the current time.%3 | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 567 | The Active Directory-integrated zone %1 has been updated. Only %2 can run scavenging. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 568 | The key master role for zone %1 has been %2.%3 | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 569 | A %1 singing key (%2) descriptor has been added on the zone %3 with following properties: KeyId=%4; KeyType=%5; CurrentState=%6; KeyStorageProvider=%7; StoreKeysInAD=%8; CryptoAlgorithm=%9; KeyLength=%10; DnsKeySignatureValidityPeriod=%11; DSSignatureValidityPeriod=%12; ZoneSignatureValidityPeriod=%13; InitialRolloverOffset=%14; RolloverPeriod=%15; RolloverType=%16; NextRolloverAction=%17; LastRolloverTime=%18; NextRolloverTime=%19; CurrentRolloverStatus=%20; ActiveKey=%21; StandbyKey=%22; NextKey=%23. The zone will be resigned with the %2 generated with these properties. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 570 | A %1 singing key (%2) descriptor with GUID %3 has been updated on the zone %4. The properties of this %2 descriptor have been set to: KeyId=%5; KeyType=%6; CurrentState=%7; KeyStorageProvider=%8; StoreKeysInAD=%9; CryptoAlgorithm=%10; KeyLength=%11; DnsKeySignatureValidityPeriod=%12; DSSignatureValidityPeriod=%13; ZoneSignatureValidityPeriod=%14; InitialRolloverOffset=%15; RolloverPeriod=%16; RolloverType=%17; NextRolloverAction=%18; LastRolloverTime=%19; NextRolloverTime=%20; CurrentRolloverStatus=%21; ActiveKey=%22; StandbyKey=%23; NextKey=%24. The zone will be resigned with the %2 generated with these properties. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 571 | A %1 singing key (%2) descriptor %4 has been removed from the zone %3. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 572 | The state of the %1 signing key (%2) %3 has been modified on zone %4. The new active key is %5, standby key is %6 and next key is %7. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 573 | A delegation for %1 in the scope %2 of zone %3 with the name server %4 has been added. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 574 | The client subnet record with name %1 value %2 has been added to the client subnet map. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 575 | The client subnet record with name %1 has been deleted from the client subnet map. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 576 | The client subnet record with name %1 has been updated from the client subnet map. The new client subnets that it refers to are %2. | SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| 577 | A server level policy %6 for %1 has been created on server %2 with following properties: ProcessingOrder:%3; Criteria:%4; Action:%5. | SETTING_CREATION | |
| 578 | A zone level policy %8 for %1 has been created on zone %6 on server %2 with following properties: ProcessingOrder:%3; Criteria:%4; Action:%5; Scopes:%7. | SETTING_CREATION | |
| 579 | A forwarding policy %6 has been created on server %2 with following properties: ProcessingOrder:%3; Criteria:%4; Action:%5; Scope:%1. | SETTING_CREATION | |
| 580 | The server level policy %1 has been deleted from server %2. | SETTING_DELETION | |
| 581 | The zone level policy %1 has been deleted from zone %3 on server %2. | SETTING_DELETION | |
| 582 | The forwarding policy %1 has been deleted from server %2. | SETTING_DELETION |