Windows DNS logs, FileBeat, Beats input on Graylog 3.1.3

For some reason, my old setup on Windows DCs of winpcap -> PacketBeat -> Graylog stopped working. Probably because of something on the windows server side. npcap -> packetbeat -> graylog kinda worked but not for both servers, and almost no requests were being captured, mostly just responses.

So I decided to try FileBeat. I am already logging windows DNS to a file due to an MSSP integration.

So I have FileBeat 7.5.1 looking at the dns text files on each DC.
filebeat.inputs:
- type: log
paths:
- C:\Windows\System32\dns\dns.log
output.logstash:
hosts: [“ip:port”]

SOME kinda data is clearly making it to Graylog from both windows DCs. I chose the (non deprecated) Beats input.

But no data is being indexed. Under “show received messages” there is nothing found.

I tried a tcp raw input to see if perhaps the data was just coming in an unexpected format that couldn’t be parsed and the resulting “message” fields looks like this:
���ghOv��Z)6ݫ�[���\L���-Bv�!�9���s��vq�Pj{�I ��[�j�B�=�VZ,j�)���pjz��Tc�AB>C@�m� ��q���&�JyΧ�6x!_�o#���n� ���E�+h���s���{�8M!��Ժr���(v�� 7��!�z���!/�C��e�u=�{��~��ǡB�o�+��ʩ�uVT�>.�U�@��"T���#��N�����QN4��’�4�o�m�y�+\ ��[�r

So my questions:
Is this what beats data should look like if viewed “raw?”
Should Graylog be able to parse this?
Is there something special that needs to be done on the FileBeats side to make it Beats/Graylog palatable?
Is this more of a FileBeats question?

Here is the filebeat windows basic DNS test configuration that worked for me. It was just a test but it pumped messages through just fine.

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
   hosts: 
   - ${user.BeatsInput}
   ssl:
   verification_mode: none
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows, DNS
filebeat:
  inputs:
    - type: log
      paths:
        - C:\Windows\Logs\DNSServer\dns.log

Assuming you have sidecar (https://docs.graylog.org/en/latest/pages/sidecar.html) installed and set up on the sending server you can use the above configuration to pull DNS via the filebeat part of sidecar.

2 Likes

So I need to use sidecar for this? I thought that stuff was deprecated.

Collectors were depreciated, not sidecar :slight_smile:

Well… actually. I don’t think that’s it. Sidecar shouldn’t matter. Filebeat IS ingesting something, but is sending a pretty harsh solid binary tcp stream.
I’m not running tls on this, but this is what tcpdump shows coming FROM filebeat.
solid
Is this the expected output of packetbeat ingesting a text logfile of dns? Clearly its making it all the way to graylog but graylog isn’t indexing it.

filebeat.inputs:
- type: log
  paths:
    - C:\Windows\System32\dns\dns.log
document_type: dns
include_lines: ['^[0-9]']
ignore_older: 2h
fields_under_root: true

output.logstash:
  hosts: ["blah:blah"]

The DNS log is a text file.
dnslogs
Also… I was running packetbeat before this without problem, so I’m not totally up in the night here. I also confirmed I was using the OSS/Apache licensed variant.

Hey… so check this out.

Any chance that graylog’s 3.1.3 Beats parser just ain’t digesting Filebeats OSS 7.5.1’s data correctly? Or Filebeats isn’t handling the DNS log well?

It turns out that beats is a binary protocol.
On the Left is a good packetbeat stream that Graylog indexes fine. On the right is the filebeat stream that Graylog doesn’t handle.

They have the same headers for a few bytes :
filebeat : 32 57 00 00 01 3a 32 43
packetbeat: 32 57 00 00 00 02 32 43

Any ideas?

It kinda looks like you are having packetbeat read the log file when you want filebeat to read it??!?

So… under sidecars->Log Collectors, you would create a Filebeat Log Collector that references the filebeat.exe location (among other things), then you would create a Collector Configuration that is based off your Filebeat Log collector, then you would apply that configuration the DNS server. Here are screen shots of mine - note how my collector configuration is based on the “winfilebeat one windows” Log Collector.


The screen shots are ugly - let me know if you need more detail! :stuck_out_tongue:

No. I set the server up to use npcap and packetbeat in one case, and the packetbeat pcap was captured on the graylog server (and indexed by graylog).

Then I removed everything and setup filebeat to read the DNS log file, the filebeat pcap was captured on the graylog server (and nothing but index errors).

So what I THINK I’m seeing is that either :
1: filebeat is not handling the Windows DNS log format well. (edit)
or
2: graylog’s beats parser is not handling packetbeat’s tcp stream well.
or
3: both.
or
4: something else entirely.

The existence of a pcap in both cases with the same first 4 bytes, i believe, suggests that at least the networking and config are good.

1: packetbeat is not handling the Windows DNS log format well.

the DNS.LOG file is a text file, you should be using filebeat (filebeat.exe) to capture it.

edited. sorry, lots of *beat typing.

" setup filebeat to read the DNS log file "
i assure you that i am using packetbeat for packets and filebeat for files.

and the steam resulting from filebeat (ingesting the dns log file, a text file) is not being indexed by graylog’s beats input.

hmmm could you be accidentally applying your packetbeat Log Collector onto to your Filebeat Configuration?

Packetbeat config (works) :

packetbeat.interfaces.device: 0
packetbeat.protocols:
- type: dns
  ports: [53]
  include_authorities: true
  include_additionals: true

output.logstash:
  hosts: ["ip:port"]

Filebeat config (works but index errors, no data is indexed) :

filebeat.inputs:
- type: log
  paths:
    - C:\Windows\System32\dns\dns.log
document_type: dns
include_lines: ['^[0-9]']
ignore_older: 2h
fields_under_root: true

output.logstash:
  hosts: ["ip:port"]

I modified my working config to match yours closely. I removed document_type since I have read that it has been depreciated in elasticsearch. I can’t test this on my production DNS though. :frowning: I have seen before where order and even seemingly formatting make a difference in how the configuration works.

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
   hosts: 
   - ["ip:port"]
   ssl:
   verification_mode: none
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows, DNS, NOT_using_packetbeat_haha
filebeat:
  inputs:
    - type: log
      ingnore_older: 2h
      include_lines: ['^[0-9]']
      paths:
        - C:\Windows\System32\dns\dns.log

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.