topic Re: Syslog - Collecting Internal DNS in General Topics

Syslog - Collecting Internal DNS

JeffFredericks — Thu, 02 Aug 2018 17:56:38 GMT

Hey Everyone,

I noticed my Syslog box isn't receiving internal DNS information from the Palo. I originally thought the URL log type would capture internal information (yes i'm aware what URL stands for, but I could hope). However that doesn't seem to be the case.

Is there a particular field, log type, or severity level I can enable to collect internal dns names and services?

- Jeff

Re: Syslog - Collecting Internal DNS

OtakarKlier — Thu, 02 Aug 2018 18:55:45 GMT

Hello,

I'm not sure if hte PAN does this for you or if there is a way to accomplish this. However for us our SIEM does this on its end.

Regards,

Re: Syslog - Collecting Internal DNS

RobinClayton — Fri, 03 Aug 2018 11:14:06 GMT

What are you actualy trying to achive/log?

Rob

Re: Syslog - Collecting Internal DNS

JeffFredericks — Tue, 07 Aug 2018 23:51:36 GMT

Trying to collect internal dns records in Palo Alto's Splunk app. That way we can better correlate events and threats when they happen.

Re: Syslog - Collecting Internal DNS

Remo — Wed, 08 Aug 2018 00:12:18 GMT

@JeffFredericks

Do you want to have DNS logs in your Splunk server or do you want the DNS names for the IPs in the logs? For the names you can export the DNS Names and create a lookup table on your splunk server.

Re: Syslog - Collecting Internal DNS

JeffFredericks — Wed, 08 Aug 2018 00:15:59 GMT

DNS Names for the IPs in the logs.

I would love to know how to export that info.

Re: Syslog - Collecting Internal DNS

RobinClayton — Wed, 08 Aug 2018 07:54:45 GMT

Do we assume your DNS server is Windows Server??

Re: Syslog - Collecting Internal DNS

RobinClayton — Wed, 08 Aug 2018 07:56:32 GMT

And are all your IP's static/reserverd?

Re: Syslog - Collecting Internal DNS

JeffFredericks — Wed, 08 Aug 2018 18:57:04 GMT

Windows Server + Static/reserved

Re: Syslog - Collecting Internal DNS

RobinClayton — Thu, 09 Aug 2018 08:04:02 GMT

You can export the zone via MMC, or you could powershel the export and run it periodicaly.

Rob

Re: Syslog - Collecting Internal DNS

JeffFredericks — Thu, 09 Aug 2018 18:05:44 GMT

Interesting. From what you described It sounds a little bit more like a hack, then an actual filter or setting with the Palo Alto as well.

Selecting, say, the url field for syslog won't capture internal DNS requests as they're hitting the Palo?

Re: Syslog - Collecting Internal DNS

Remo — Thu, 09 Aug 2018 22:31:47 GMT

@JeffFredericks

The way described by @RobinClayton isn't a hack. This is how it should be as the firewall also does not know the DNS names of the sources (except if you create address objects for ALL your internal systems). This information you should get where it is managed -> from your DNS server.

@JeffFredericks wrote:
Selecting, say, the url field for syslog won't capture internal DNS requests as they're hitting the Palo?

No, paloalto does not log the content of DNS requests. If you need this data, then the best place to get that is agsin your DNS server which you need to configure to send the DNS logs to your splunk server.

Re: Syslog - Collecting Internal DNS

RobinClayton — Fri, 10 Aug 2018 09:30:15 GMT

Even if the PA did see the DNS requests ( if you had the DNS servers on their own Zone or Subnet) routed through the firewall.... The PA is not goign to do anything special with the traffic.