Splunk Enterprise Security
Highlighted

How to get DNS logs running on Solaris for the Splunk Enterprise Security app?

New Member

Hi,

I am implementing the Splunk Enterprise Security app. I have DNS logs which are in Solaris. I went through the DNS app for linux. Can I use the same app?
DNS logs will be brought in as syslog. There are three types of DNS logs queries: security and transfers.

I would appreciate if I could get some clarification as to how to bring in the data, what data is required for theES app, and make the ES app work? Also, do we need Stream app to be installed for the same?

0 Karma
Highlighted

Re: How to get DNS logs running on Solaris for the Splunk Enterprise Security app?

Champion

I'm not sure how much I can help you here, but maybe can provide a high level answer.

Generally speaking, the correlation searches in ES run against the CIM datamodels. There are multiple datamodels for things like Intrusion Detection, Network Traffic, Email, etc. And so the goal is to map the data in your dns data to the fields defined in the datamodel. These are all search time configurations.

Each datamodel is defined by a tag or set of tags. So if you want the dns data to show up, then an eventtype/tag need to be configured to mark it appropriately.

Next, the datamodels use certain fields. For example, there may be a field called src and another called dest. So you need to create those fields for dns data if they don't exist. For example, if you have a field called destination, then you'd want to create a field alias of that called dest, because that's the field expected by the datamodel.

Once that's done, any correlation search running against that datamodel will include your dns data. This allows you to map multiple sources of data to one datamodel so the correlation searches won't really need modified.

One other thing to note is where you store those search time operations (field mappings, etc). ES needs to be made aware of apps that it needs to take into consideration. There are some default rules for apps it allows like "TA-xxx" or "Splunk-TAxxx" or something to that effect. But if you have your config in an app like mycompanyconfigdnsmappings, then you'll need to import that app into ES. I don't recall off hand how to do that, but I'm sure it's documented.

I'm not sure if this is sort of what you were looking or helpful at all, but thought I'd share what I know. Also, we are a few versions behind on ES, so I apologize if any of this outdated or has been changed. And here is the link to the Network Resolution Datamodel documentation, which is probably where your data would need to be mapped to.

http://docs.splunk.com/Documentation/CIM/4.5.0/User/NetworkResolutionDNS

View solution in original post

0 Karma