search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
3.84k stars 400 forks source link

Add syslog app #954

Open hampusstrom opened 6 days ago

hampusstrom commented 6 days ago

First and foremost sorry about my code quality. I haven't been programming i C# for years. I saw a need for remote syslog capabilities and decided to give it a go. Feel free to roast me.

What: Adds a new Technitium DNS App that allows for use of remote syslog servers for log collection in RFC3164 format. Messages are sent as JSON for easy field extractions and parsings in your log aggregator/SIEM of choice.

I will also be releasing a Splunk app that provides Splunk CIM compatibility among other things to accompany this contribution, should it be accepted. https://docs.splunk.com/Documentation/CIM/5.3.2/User/Overview

This app is not compatible with the query searching UI for obvious reasons, therefore we return a NotSupportedException on attempts to query the logs that have been sent off to a remote server.

The app features some basic input format validation for the syslogServers configuration.

Why: No matter if you are big, security conscious company looking to integrate DNS logging into your SIEM or a homelabber looking to troubleshoot that pesky DNS issue (It's always DNS). Remote syslog ensures that you can use the collection, indexing and search tooling that you want to keep track of your data. Syslog is easy to setup, easy to integrate with and most companies already have some kind of syslog collection setup in place.

To get started:

  1. Install the app
  2. edit the configuration
  3. set the syslogServers to a list of ":" pairs representing one or more syslog target servers.
  4. set enableLogging to true to enable the syslog output
  5. Enjoy your newfound power!

Example config: { "enableLogging": true, "syslogServers": ["192.168.1.2:514","10.1.2.3:7899"] }

Closes:

513

133

Relates to:

781

Big fan of the project!

ShreyasZare commented 6 days ago

Thanks for the PR. The syslog support is planned for all DNS server logs wherein the logging format will also need a bit of modification. But having an independent app for query log too is good if someone needs that just for query logs. Will review this PR soon.

hampusstrom commented 6 days ago

Thank you for taking the time to look into my contribution!

Since you've already got full syslog support planned I see no reason for this app, other than as maybe an interim solution until the full support is live.

I might not write very good C#, but I do have a lot of experience in parsing logs and I know what makes them great. Both in terms of formatting and contents, especially from a security and auditing point of view. If you're open to it I'd love to help out with the implementation