Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add syslog app #954

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Add syslog app #954

wants to merge 1 commit into from
+361 −0

Conversation

hampusstrom
Copy link

First and foremost sorry about my code quality. I haven't been programming i C# for years.
I saw a need for remote syslog capabilities and decided to give it a go. Feel free to roast me.

What:
Adds a new Technitium DNS App that allows for use of remote syslog servers for log collection in RFC3164 format.
Messages are sent as JSON for easy field extractions and parsings in your log aggregator/SIEM of choice.

I will also be releasing a Splunk app that provides Splunk CIM compatibility among other things to accompany this contribution, should it be accepted.
https://docs.splunk.com/Documentation/CIM/5.3.2/User/Overview

This app is not compatible with the query searching UI for obvious reasons, therefore we return a NotSupportedException on attempts to query the logs that have been sent off to a remote server.

The app features some basic input format validation for the syslogServers configuration.

Why:
No matter if you are big, security conscious company looking to integrate DNS logging into your SIEM or a homelabber looking to troubleshoot that pesky DNS issue (It's always DNS).
Remote syslog ensures that you can use the collection, indexing and search tooling that you want to keep track of your data.
Syslog is easy to setup, easy to integrate with and most companies already have some kind of syslog collection setup in place.

To get started:

  1. Install the app
  2. edit the configuration
  3. set the syslogServers to a list of ":" pairs representing one or more syslog target servers.
  4. set enableLogging to true to enable the syslog output
  5. Enjoy your newfound power!

Example config:
{ "enableLogging": true, "syslogServers": ["192.168.1.2:514","10.1.2.3:7899"] }

Closes:
#513
#133

Relates to:
#781

Big fan of the project!

@ShreyasZare
Copy link
Member

Thanks for the PR. The syslog support is planned for all DNS server logs wherein the logging format will also need a bit of modification. But having an independent app for query log too is good if someone needs that just for query logs. Will review this PR soon.

@hampusstrom
Copy link
Author

Thank you for taking the time to look into my contribution!

Since you've already got full syslog support planned I see no reason for this app, other than as maybe an interim solution until the full support is live.

I might not write very good C#, but I do have a lot of experience in parsing logs and I know what makes them great.
Both in terms of formatting and contents, especially from a security and auditing point of view.
If you're open to it I'd love to help out with the implementation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@hampusstrom @ShreyasZare