Mantenha tudo organizado com as coleções Salve e categorize o conteúdo com base nas suas preferências.

Coletar dados de DNS do Microsoft Windows

Este documento:

  • Descreve a arquitetura de implantação e as etapas da instalação, além de qualquer configuração necessária que produza registros compatíveis com o Chronicle Parser para eventos DNS do Microsoft Windows. Para uma visão geral da ingestão de dados do Chronicle, consulte Ingestão de dados para o Chronicle.
  • Inclui informações sobre como o analisador mapeia campos no registro original para campos do modelo de dados unificado do Chronicle.

As informações neste documento se aplicam ao analisador com o rótulo de ingestão WINDOWS_DNS. O identificador de processamento identifica qual analisador analisa os dados brutos de registro no formato UDM estruturado.

Antes de começar

  • Analisar a arquitetura de implantação recomendada.

    O diagrama a seguir ilustra os principais componentes recomendados em uma arquitetura de implantação para coletar e enviar eventos de DNS do Microsoft Windows para o Chronicle. Compare essas informações com o ambiente para confirmar se os componentes estão instalados. Cada implantação do cliente será diferente dessa representação e poderá ser mais complexa. Os requisitos a seguir são obrigatórios:

    • Servidor DNS do Microsoft Windows com registro de diagnóstico DNS ativado.
    • Todos os sistemas configurados com o fuso horário UTC
    • O NXLog instalado em servidores Microsoft Windows em cluster para coletar e encaminhar registros para o servidor Microsoft Windows ou Linux central.
    • Encaminhador do Chronicle instalado no servidor Microsoft Windows ou Linux central.

    Arquitetura de implantação

  • Analise os dispositivos e versões compatíveis.

    O analisador do Chronicle oferece suporte aos registros das seguintes versões do Microsoft Windows Server. O Microsoft Windows Server foi lançado com as seguintes edições: Foundation, Essentials, Standard e Datacenter. O esquema de eventos de registros gerados por cada edição não diferem.

    • Microsoft Windows Server 2019
    • Microsoft Windows Server 2016
    • Microsoft Windows Server 2012 R2

    O analisador do Chronicle é compatível com os registros coletados pelo NXLog Enterprise Edition.

  • Veja os tipos de registro compatíveis. O analisador do Chronicle é compatível com os seguintes tipos de registro gerados pelos servidores DNS do Microsoft Windows. Veja mais informações sobre esses tipos de registro na documentação Diagnóstico e geração de registros de DNS do Microsoft Windows. Ele aceita registros gerados com texto em inglês e não é compatível com registros gerados em outros idiomas.

    • Registros de auditoria: para ver uma descrição desse tipo de registro, consulte a documentação Registros de auditoria do Microsoft Windows.
    • Registros do Analytics: para ver uma descrição desse tipo, consulte a documentação Registros do Analytics do Microsoft Windows.
  • Configure os servidores DNS do Microsoft Windows. Consulte a documentação do Microsoft Windows para informações sobre como instalar e ativar o registro de diagnóstico DNS.

  • Instale e configure o servidor central do Windows ou Linux.

  • Configurar todos os sistemas com o fuso horário UTC.

Configurar NXLog e encaminhador do Chronicle

  1. Instale o NXLog em cada servidor DNS do Microsoft Windows. Siga a documentação do NXLog.
  2. Crie um arquivo de configuração para cada instância do NXLog. Use o módulo de entrada im_etw para extrair os registros de análise de DNS e o módulo de entrada im_msvistalog para os registros de auditoria.

    Veja um exemplo de configuração de NXLog. Substitua os valores <hostname> e <port> pelas informações sobre o servidor central do Microsoft Windows ou Linux. Para converter e analisar registros em JSON, em vez de XML, altere a linha Exec to_xml(); para Exec to_json();. Para mais informações, consulte a documentação do NXLog sobre o módulo om_tcp.

    define ROOT C:\Program Files\nxlog
    define WINDNS_OUTPUT_DESTINATION_ADDRESS <hostname>
    define WINDNS_OUTPUT_DESTINATION_PORT <port>
    
    Moduledir   %ROOT%\modules
    CacheDir    %ROOT%\data
    Pidfile     %ROOT%\data\nxlog.pid
    SpoolDir    %ROOT%\data
    LogFile     %ROOT%\data\nxlog.log
    
    <Extension syslog>
        Module      xm_syslog
    </Extension>
    
    # To collect XML logs, use the below NXLog module
    <Extension xml>
        Module      xm_xml
    </Extension>
    
    # To collect JSON logs, use the below NXLog module
    <Extension json>
        Module      xm_json
    </Extension>
    
    <Input eventlog>
        Module      im_etw
        Provider    Microsoft-Windows-DNSServer
    </Input>
    
    <Input auditeventlog>
        Module      im_msvistalog
        <QueryXML>
            <QueryList>
                <Query Id="0" Path="Microsoft-Windows-DNSServer/Audit">
                    <Select Path="Microsoft-Windows-DNSServer/Audit">*</Select>
                </Query>
            </QueryList>
        </QueryXML>
    </Input>
    
    <Output out_chronicle_windns>
        Module      om_tcp
        Host        %WINDNS_OUTPUT_DESTINATION_ADDRESS%
        Port        %WINDNS_OUTPUT_DESTINATION_PORT%
        Exec        $EventTime = integer($EventTime) / 1000;
        Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
        Exec        to_xml(); # To collect JSON, use to_json()
    </Output>
    
    <Route analytical_windns_to_chronicle>
        Path    eventlog => out_chronicle_windns
    </Route>
    
    <Route audit_windns_to_chronicle>
        Path    auditeventlog => out_chronicle_windns
    </Route>
    
  3. Instale o encaminhador do Chronicle no servidor Microsoft Windows ou Linux central. Consulte Como instalar e configurar o encaminhador no Linux ou Como instalar e configurar o encaminhador no Microsoft Windows para ver informações sobre como instalar e configurar o encaminhador no Linux.

  4. Configure o encaminhador do Chronicle para enviar registros ao Chronicle. Este é um exemplo de configuração de encaminhador.

      - syslog:
          common:
            enabled: true
            data_type: WINDOWS_DNS
            batch_n_seconds: 10
            batch_n_bytes: 1048576
          tcp_address: 0.0.0.0:10518
          connection_timeout_sec: 60
    

Referência de mapeamento de campo: campos de registro do dispositivo para campos do UDM

Nesta seção, descrevemos como o analisador mapeia campos do registro de dispositivos originais para os campos de modelo de dados unificado (UDM, na sigla em inglês).

Campos comuns

Campo "NXLog" Campo de UDM Comentário
SourceName metadata.vendor_name = "Microsoft"

metadata.product_name = "Windows DNS Server"
EventID security_result.rule_name Stored as "EventID: %{EventID}". In events with Error and Warning level, the field is_alert is set to true.
Severity security_result.severity The values are mapped to the UDM field enum as follows:
0 (None) - UNKNOWN_SEVERITY
1 (Critical) - INFORMATIONAL
2 (Error) - ERROR
3 (Warning) - ERROR
4 (Informational) - INFORMATIONAL
5 (Verbose) - INFORMATIONAL
EventTime metadata.event_timestamp
ExecutionProcessID principal.process.pid / target.process.pid Value stored in target.process.pid for the following Event IDs 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280.
Value stored in principal.process.pid for all other Event IDs.
Channel metadata.product_event_type
Hostname principal.hostname / target.hostname Value stored in target.hostname for the following Event IDs: 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280.

Value stored in principal.hostname from all other Event IDs.
UserID principal.user.windows_sid / target.user.windows_sid Stored in target.user.windows_sid for the following Event IDs: 256, 259, 261, 263, 266, 268, 270, 272,273, 275, 278, 279, 280.

Stored in principal.user.windows_sid for all other Event IDs

Registros de análise

Campo de registro original Campo de UDM Comentário
AA network.dns.authoritative
Destination target.ip / principal.ip Populated in either principal and target.
InterfaceIP target.ip / principal.ip Stores DNS Server's IP address in target.ip for following Event IDs, 256, 259, 261, 263, 266, 268, 270, 272, 273, 275, 278, 279, 280.
Stored in principal.ip for all other Event IDs (DNS response).
PacketData network.dns.answers.binary_data
Port target.port / principal.port
QNAME network.dns.questions.name
QTYPE network.dns.questions.type
RCODE network.dns.response_code
RD network.dns.recursion_desired
Reason security_result.summary
Source principal.ip / target.ip Source IPv4/IPv6 address of the machine that initiated the DNS request.
Stored in target.ip for Event ID 274. Stored in target.ip for Event ID 265 and 269, . InterfaceIP contains the secondary server's IP address (principal) and Source (target) is the primary server's IP address.
TCP network.ip_protocol
XID network.dns.id

Registros de auditoria

Campo de registro original Campo de UDM Observação
Name target.resource.name Value is collected from events with Event ID 512.
Policy target.resource.name Value is collected from events with Event ID 577, 578, 579, 580, 581, and 582, which are mapped to the SETTING_* event types.
QNAME network.dns.questions.name
QTYPE network.dns.questions.type
RecursionScope target.resource.name Value is collected from events with Event IDs mapped to SETTING_* event types.
Scope target.resource.name Value is collected from events with Event IDs mapped to SETTING_* event types.
Setting target.resource.name Value is collected from events with Event IDs mapped to SETTING_* event types.
Source principal.ip
Zone target.resource.name Value is collected from events with Event IDs mapped to SETTING_* event types.
ZoneScope target.resource.name Value is collected from events with Event IDs mapped to SETTING_* event types.

Referência de mapeamento de campo: ID do evento para tipo de evento do UDM

Nesta seção, descrevemos como o analisador mapeia IDs de eventos para event_types do UDM. Em geral, os eventos são mapeados para o NETWORK_DNS metadata.event_type, exceto os IDs de evento na seção a seguir.

ID do evento Texto do evento Tipo de evento do UMM Observações
275 XFR_NOTIFY_ACK_IN: Source=%1; InterfaceIP=%2; PacketData=%4 GENERIC_EVENT
276 IXFR_RESP_OUT: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PacketData=%10 GENERIC_EVENT
512 SETTING_CREATION
513 The zone %1 was deleted. SETTING_DELETION
514 The zone %1 was updated. The %2 setting has been set to %3. SETTING_MODIFICATION
515 A resource record of type %1, name %2, TTL %3 and RDATA %5 was created in scope %7 of zone %6. SYSTEM_AUDIT_LOG_UNCATEGORIZED
516 A resource record of type %1, name %2 and RDATA %5 was deleted from scope %7 of zone %6. SYSTEM_AUDIT_LOG_UNCATEGORIZED
517 All resource records of type %1, name %2 were deleted from scope %4 of zone %3. SYSTEM_AUDIT_LOG_UNCATEGORIZED
518 All resource records at Node name %1 were deleted from scope %3 of zone %2. SYSTEM_AUDIT_LOG_UNCATEGORIZED
519 A resource record of type %1, name %2, TTL %3 and RDATA %5 was created in scope %7 of zone %6 via dynamic update from IP Address %8. SYSTEM_AUDIT_LOG_UNCATEGORIZED
520 A resource record of type %1, name %2 and RDATA %5 was deleted from scope %7 of zone %6 via dynamic update from IP Address %8. SYSTEM_AUDIT_LOG_UNCATEGORIZED
521 A resource record of type %1, name %2, TTL %3 and RDATA %5 was scavenged from scope %7 of zone %6. SYSTEM_AUDIT_LOG_UNCATEGORIZED
522 The scope %1 was created in zone %2. SETTING_CREATION
523 The scope %1 was deleted in zone %2. SETTING_DELETION
525 The zone %1 was signed with following properties: DenialOfExistence=%2; DistributeTrustAnchor=%3; DnsKeyRecordSetTtl=%4; DSRecordGenerationAlgorithm=%5; DSRecordSetTtl=%6; EnableRfc5011KeyRollover=%7; IsKeyMasterServer=%8; KeyMasterServer=%9; NSec3HashAlgorithm=%10; NSec3Iterations=%11; NSec3OptOut=%12; NSec3RandomSaltLength=%13; NSec3UserSalt=%14; ParentHasSecureDelegation=%15; PropagationTime=%16; SecureDelegationPollingPeriod=%17; SignatureInceptionOffset=%18. SYSTEM_AUDIT_LOG_UNCATEGORIZED
526 The zone %1 was unsigned. SYSTEM_AUDIT_LOG_UNCATEGORIZED
527 The zone %1 was re-signed with following properties: DenialOfExistence=%2; DistributeTrustAnchor=%3; DnsKeyRecordSetTtl=%4; DSRecordGenerationAlgorithm=%5; DSRecordSetTtl=%6; EnableRfc5011KeyRollover=%7; IsKeyMasterServer=%8; KeyMasterServer=%9; NSec3HashAlgorithm=%10; NSec3Iterations=%11; NSec3OptOut=%12; NSec3RandomSaltLength=%13; NSec3UserSalt=%14; ParentHasSecureDelegation=%15; PropagationTime=%16; SecureDelegationPollingPeriod=%17; SignatureInceptionOffset=%18. SYSTEM_AUDIT_LOG_UNCATEGORIZED
528 Rollover was started on the type %1 with GUID %2 of zone %3. SYSTEM_AUDIT_LOG_UNCATEGORIZED
529 Rollover was completed on the type %1 with GUID %2 of zone %3. SYSTEM_AUDIT_LOG_UNCATEGORIZED
530 The type %1 with GUID %2 of zone %3 was marked for retiral. The key will be removed after the rollover completion. SYSTEM_AUDIT_LOG_UNCATEGORIZED
531 Manual rollover was triggered on the type %1 with GUID %2 of zone %3. SYSTEM_AUDIT_LOG_UNCATEGORIZED
533 The keys signing key with GUID %1 on zone %2 that was waiting for a Delegation Signer(DS) update on the parent has been forced to move to rollover completion. SYSTEM_AUDIT_LOG_UNCATEGORIZED
534 DNSSEC setting metadata was exported %1 key signing key metadata from zone %2. SYSTEM_AUDIT_LOG_UNCATEGORIZED
535 DNSSEC setting metadata was imported on zone %1. SYSTEM_AUDIT_LOG_UNCATEGORIZED
536 A record of type %1, QNAME %2 was purged from scope %3 in cache. SYSTEM_AUDIT_LOG_UNCATEGORIZED
537 The forwarder list on scope %2 has been reset to %1. SETTING_MODIFICATION target.resource.name is set to "Forwarder list on scope: %{scope_name}"
540 The root hints have been modified. SETTING_MODIFICATION target.resource.name populated with text "Root hints"
541 The setting %1 on scope %2 has been set to %3. SETTING_MODIFICATION
542 The scope %1 of DNS server was created. SETTING_CREATION
543 The scope %1 of DNS server was deleted. SETTING_DELETION
544 The DNSKEY with Key Protocol %2, Base64 Data %4 and Crypto Algorithm %5 has been added at the trust point %1. SYSTEM_AUDIT_LOG_UNCATEGORIZED
545 The DS with Key Tag: %2, Digest Type: %3, Digest: %5 and Crypto Algorithm: %6 has been added at the trust point %1. SYSTEM_AUDIT_LOG_UNCATEGORIZED
546 The trust point at %1 of type %2 has been removed. SYSTEM_AUDIT_LOG_UNCATEGORIZED
547 The trust anchor for the root zone has been added. SYSTEM_AUDIT_LOG_UNCATEGORIZED
548 A request to restart the DNS server service has been received. SYSTEM_AUDIT_LOG_UNCATEGORIZED
549 The debug logs have been cleared from %1 on DNS server. SYSTEM_AUDIT_LOG_WIPE
550 The in-memory contents of all the zones on DNS server have been flushed to their respective files. SYSTEM_AUDIT_LOG_UNCATEGORIZED
551 All the statistical data for the DNS server has been cleared. SYSTEM_AUDIT_LOG_WIPE
552 A resource record scavenging cycle has been started on the DNS Server. SYSTEM_AUDIT_LOG_UNCATEGORIZED
553 %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED
554 The resource record scavenging cycle has been terminated on the DNS Server. SYSTEM_AUDIT_LOG_UNCATEGORIZED
555 The DNS server has been prepared for demotion by removing references to it from all zones stored in the Active Directory. SYSTEM_AUDIT_LOG_UNCATEGORIZED
556 The information about the root hints on the DNS server has been written back to the persistent storage. SYSTEM_AUDIT_LOG_UNCATEGORIZED
557 The addresses on which DNS server will listen has been changed to %1. SETTING_MODIFICATION target.resource.name populated with text "Listen Addresses"
558 An immediate RFC 5011 active refresh has been scheduled for all trust points. SYSTEM_AUDIT_LOG_UNCATEGORIZED
559 The zone %1 is paused. SYSTEM_AUDIT_LOG_UNCATEGORIZED
560 The zone %1 is resumed. SYSTEM_AUDIT_LOG_UNCATEGORIZED
561 The data for zone %1 has been reloaded from %2. SYSTEM_AUDIT_LOG_UNCATEGORIZED
562 The data for zone %1 has been refreshed from the master server %2. SYSTEM_AUDIT_LOG_UNCATEGORIZED
563 The secondary zone %1 has been expired and new data has been requested from the master server %2. SYSTEM_AUDIT_LOG_UNCATEGORIZED
564 The zone %1 has been reloaded from the Active Directory. SYSTEM_AUDIT_LOG_UNCATEGORIZED
565 The content of the zone %1 has been written to the disk and the notification has been sent to all the notify servers. SETTING_MODIFICATION
566 All DNS records at the node %1 in the zone %2 will have their aging time stamp set to the current time.%3 SYSTEM_AUDIT_LOG_UNCATEGORIZED
567 The Active Directory-integrated zone %1 has been updated. Only %2 can run scavenging. SYSTEM_AUDIT_LOG_UNCATEGORIZED
568 The key master role for zone %1 has been %2.%3 SYSTEM_AUDIT_LOG_UNCATEGORIZED
569 A %1 singing key (%2) descriptor has been added on the zone %3 with following properties: KeyId=%4; KeyType=%5; CurrentState=%6; KeyStorageProvider=%7; StoreKeysInAD=%8; CryptoAlgorithm=%9; KeyLength=%10; DnsKeySignatureValidityPeriod=%11; DSSignatureValidityPeriod=%12; ZoneSignatureValidityPeriod=%13; InitialRolloverOffset=%14; RolloverPeriod=%15; RolloverType=%16; NextRolloverAction=%17; LastRolloverTime=%18; NextRolloverTime=%19; CurrentRolloverStatus=%20; ActiveKey=%21; StandbyKey=%22; NextKey=%23. The zone will be resigned with the %2 generated with these properties. SYSTEM_AUDIT_LOG_UNCATEGORIZED
570 A %1 singing key (%2) descriptor with GUID %3 has been updated on the zone %4. The properties of this %2 descriptor have been set to: KeyId=%5; KeyType=%6; CurrentState=%7; KeyStorageProvider=%8; StoreKeysInAD=%9; CryptoAlgorithm=%10; KeyLength=%11; DnsKeySignatureValidityPeriod=%12; DSSignatureValidityPeriod=%13; ZoneSignatureValidityPeriod=%14; InitialRolloverOffset=%15; RolloverPeriod=%16; RolloverType=%17; NextRolloverAction=%18; LastRolloverTime=%19; NextRolloverTime=%20; CurrentRolloverStatus=%21; ActiveKey=%22; StandbyKey=%23; NextKey=%24. The zone will be resigned with the %2 generated with these properties. SYSTEM_AUDIT_LOG_UNCATEGORIZED
571 A %1 singing key (%2) descriptor %4 has been removed from the zone %3. SYSTEM_AUDIT_LOG_UNCATEGORIZED
572 The state of the %1 signing key (%2) %3 has been modified on zone %4. The new active key is %5, standby key is %6 and next key is %7. SYSTEM_AUDIT_LOG_UNCATEGORIZED
573 A delegation for %1 in the scope %2 of zone %3 with the name server %4 has been added. SYSTEM_AUDIT_LOG_UNCATEGORIZED
574 The client subnet record with name %1 value %2 has been added to the client subnet map. SYSTEM_AUDIT_LOG_UNCATEGORIZED
575 The client subnet record with name %1 has been deleted from the client subnet map. SYSTEM_AUDIT_LOG_UNCATEGORIZED
576 The client subnet record with name %1 has been updated from the client subnet map. The new client subnets that it refers to are %2. SYSTEM_AUDIT_LOG_UNCATEGORIZED
577 A server level policy %6 for %1 has been created on server %2 with following properties: ProcessingOrder:%3; Criteria:%4; Action:%5. SETTING_CREATION
578 A zone level policy %8 for %1 has been created on zone %6 on server %2 with following properties: ProcessingOrder:%3; Criteria:%4; Action:%5; Scopes:%7. SETTING_CREATION
579 A forwarding policy %6 has been created on server %2 with following properties: ProcessingOrder:%3; Criteria:%4; Action:%5; Scope:%1. SETTING_CREATION
580 The server level policy %1 has been deleted from server %2. SETTING_DELETION
581 The zone level policy %1 has been deleted from zone %3 on server %2. SETTING_DELETION
582 The forwarding policy %1 has been deleted from server %2. SETTING_DELETION