ISC Bind9.据span title="Copy link to clipboard">
ISC Bind9是一个开源软件,允许您发布DNS事件。阅读更多关于绑定其网站的更多信息:据a href="https://www.isc.org/downloads/bind/">https://www.isc.org/downloads/bind/据/a>
在你开始之前据span title="Copy link to clipboard">
为了从这个事件源捕获InsightIDR中的数据,必须配置ISC Bind9将所有查询日志发送到syslog,然后转发到InsightIDR Collector;阅读如何做到这一点据a href="//www.gcpym.com/insightidr/syslog-logging">Syslog日志据/a>页。据/p>
您可以通过在此处读取他们的日志记录建议中的指示来配置ISC BIND9以转发SYSLOG:据a href="https://kb.isc.org/article/AA-01526/0/BIND-Logging-some-basic-recommendations.html">https://kb.isc.org/article/AA-01526/0/BIND-Logging-some-basic-recommendations.html据/a>.据/p>
配置Linux据span title="Copy link to clipboard">
首先需要启用和配置Linux,以便发送日志据/p>
使用Rhel7 / Oel7 / CentOS7配置Linux配置的日志记录:据/strong>
- 导航到安装ISC Bind9的位置。据/li>
- 使用SSH-Telnet终端仿真器,输入命令据code class="prism-code language-text">cat /ect/named.conf.conf.据/span>编辑文件据code class="prism-code language-text">named.conf.据/span>
- 将下列频道添加到据code class="prism-code language-text">日志记录{}块据/span>部分:据/li>
1据/div> 通道查询{据/span>2据/div> syslog local4;据/span>3.据/div> 打印时间是的;据/span>4.据/div> print-category是的;据/span>5.据/div> print-severity是的;据/span>6.据/div> 严重程度调试;据/span>7.据/div> };据/span>8.据/div>9.据/div> 类别查询{查询_log;};据/span>注意据code class="prism-code language-text">syslog local4据/span>是您为Syslog指定的本地工厂。据/p>
当你完成时,据code class="prism-code language-text">日志记录{}据/span>部分应该如下所示:据/p>
1据/div> 日志记录{据/span>2据/div> channel default_debug {据/span>3.据/div> 文件“数据/ named.run”;据/span>4.据/div> 严重程度动态;据/span>5.据/div> };据/span>6.据/div>7.据/div> 通道查询{据/span>8.据/div> syslog local4;据/span>9.据/div> 打印时间是的;据/span>10据/div> print-category是的;据/span>11据/div> print-severity是的;据/span>12据/div> 严重程度调试;据/span>13据/div> };据/span>14据/div>15据/div> 类别查询{查询_log;};据/span>16据/div>17据/div> };据/span>
- 重新启动据code class="prism-code language-text">命名为据/span>通过输入命令服务:据code class="prism-code language-text">#stystemctl重启命名据/span>.这将停止,重新启动和重新加载配置文件。注意据code class="prism-code language-text">#据/span>表示您是管理员或root用户。据/li>
- 接下来,配置本地syslog守护进程将日志发送到收集器。为此,输入以下命令据code class="prism-code language-text">vi rsyslog.conf.据/span>.在文本编辑器(如Vim)中打开文件。据/li>
- 然后在文件的底部找到据code class="prism-code language-text">远程主机是据/span>.在此,请在收集器的IP地址和主机中添加。据/li>
- 保存您的文件。据/li>
- 最后,重新启动据code class="prism-code language-text">rsyslog服务据/span>使用以下命令:据code class="prism-code language-text">#systemctl重新启动rsyslog据/span>
预期格式据span title="Copy link to clipboard">
洞察平台dota2必威联赛将以以下格式处理该事件源的日志:据/p>
java据div class="code-copy" title="Copy to clipboard">
1据/div> 据据/span>30.据/span>>据/span>4月据/span>12据/span>11据/span>:据/span>57据/span>:据/span>50据/span>mydnsserver据/span>-据/span>03据/span>命名为据/span>[据/span>32176据/span>]据/span>:据/span>12据/span>-据/span>4月据/span>-据/span>2018年据/span>11据/span>:据/span>57据/span>:据/span>50.373据/span>客户据/span>10.1据/span>.1据/span>.101据/span>#据/span>24360据/span>(据/span>ssl据/span>.据/span>gstatic据/span>.据/span>com据/span>)据/span>:据/span>查询据/span>:据/span>ssl据/span>.据/span>gstatic据/span>.据/span>com据/span>在据/span>一种据/span>+据/span>(据/span>10.2据/span>.1据/span>.22据/span>)据/span>如何配置此事件源据span title="Copy link to clipboard">
- 从您的仪表板,选择据strong>数据采集据/strong>在左边的菜单上。据/li>
- 出现“数据收集”页面时,单击“据strong>设置事件源据/strong>下拉选择据strong>添加事件源头据/strong>e。据/li>
- 从“安全数据”部分,单击据strong>DNS.据/strong>图标。出现“添加事件源”面板。据/li>
- 选择收集器和事件源。如果需要,还可以命名事件源。据/li>
- 选择据a href="//www.gcpym.com/insightidr/log-collection-and-storage">时区据/a>匹配事件源日志的位置。据/li>
- 选择发送据a href="//www.gcpym.com/insightidr/log-collection-and-storage">未经过滤的日志据/a>.据/li>
- 配置不活动超时阈值(分钟)。据/li>
- 选择一个据a href="//www.gcpym.com/insightidr/data-collection-methods">收集方法据/a>并指定端口和协议。据ul>
- 可以选择加密事件源,如果选择TCP通过下载据a href="//www.gcpym.com/insightidr/advanced-event-source-settings">Rapid7证书据/a>.据/li>
- 点击据strong>节省据/strong>.据/li>