Document toolboxDocument toolbox

NSS feeds for DNS logs

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 23, 2022
6 min read

Only for NSS firewall server.

A large number of filters or complex filters, such as string search, might impact the performance of the NSS.

To configure a feed for DNS logs:

  1. Go to Administration → Nanolog Streaming Service.
  2. On the NSS Feeds tab, click Add NSS Feed. The Add NSS Feed window appears.

  3. On the Add NSS Feed window, enter the following information:

    FieldInformation
    Feed NameEnter or edit the name of the feed. Each feed is a connection between NSS and your Devo Relay.
    NSS TypeSelect which type of feed you are configuring. Select NSS for Firewall.
    NSS ServerChoose an NSS from the list.
    StatusThe NSS feed is Enabled by default. Click Disabled if you want to activate it later.
    SIEM Destination Type

    The type of destination. Choose between:

    • SIEM IP Address - Enter the IP address of the Devo Relay to which the logs are streamed. 

    • FQDN - (optional) Enter the destination for the TCP connection to which the logs are streamed. This allows failover from one IP to the other without manual intervention, but rather relying on updating the DNS entry. NSS will re-resolve the FQDN only when the existing connection goes down. This feature cannot be used for DNS-based load balancing.

    SIEM TCP PortEnter the port number of the Devo Relay to which the logs are streamed. If you are using the proposed TCP configuration, type 13005. 
    Log TypeChoose DNS Logs.
    Feed Output TypeChoose Custom.
    Feed Escape Character

    The Zscaler service hex encodes all non-printable ASCII characters that are in URLs when it sends the logs to the NSS. Any URL character that is less than 0x21, or above 0x7E, will be encoded as %HH. This ensures that your Devo Relay will be able to parse the URLs in case they contain non-printable characters.

    For example, a \n char in a URL is encoded as %0A, and a space is encoded as %20. In this field, you can specify additional characters that you would like to encode. For example, type a comma (,) to encode it as %2C. This is useful if you are using this character as your delimiter and would like to ensure it does not cause erroneous delimitation. Note that the service encodes characters in URLs, hostnames, and referer URLs only. If custom encoding was done for a record, the %s{eedone} field will be YES for that record.

    Feed Output Format

    Copy and paste the following output format:

    \{"time":"%s{time}","ss":%02d{ss},"mm":%02d{mm},"hh":%02d{hh},"dd":%02d{dd},"mth":%02d{mth},"yyyy":%04d{yyyy},"reqrulelabel":"%s{reqrulelabel}","reqaction":"%s{reqaction}","resrulelabel":"%s{resrulelabel}","resaction":"%s{resaction}","login":"%s{login}","dept":"%s{dept}","cip":"%s{cip}","durationms":%d{durationms},"sip":"%s{sip}","recordid":%d{recordid},"location":"%s{location}","req":"%s{req}","domcat":"%s{domcat}","reqtype":"%s{reqtype}","sport":%d{sport}\}\n
    User ObfuscationYou can enable user obfuscation. When you do, it displays a random string instead of the user names. If this is enabled, the login field in Feed Format Output automatically changes to ologin field, which outputs the obfuscated login name. Choose Disable to display the user names.
    TimezoneBy default, this is set to the organization's time zone. The time zone you set applies to the time field in the output file. The time zone automatically adjusts to changes in daylight savings in the specific time zone. The configured time zone can be output to the logs as a separate field. The list of time zones is derived from the IANA Time Zone Database. Direct GMT offsets can also be specified.
    Duplicate LogsTo ensure that no logs are skipped during any downtime, specify the number of minutes that NSS will send duplicate logs.
  4. Click Save and activate the change.

Available filters

Policy actions

  • Allow: Use this filter to limit the logs to allowed DNS requests and responses.

  • Block: Use this filter to limit the logs to DNS requests and responses that the service dropped.

  • Redirect: Use this filter to limit the logs to transactions wherein the service redirected the DNS request or response.

  • Request Allow: Use this filter to limit the logs to allowed DNS requests only.

  • Request Block: Use this filter to limit the logs to DNS requests that the service dropped.

  • Request Redirect: Use this filter to limit the logs to DNS requests that the service redirected.  

  • Response Allow: Use this filter to limit the logs to allowed DNS responses only.

  • Response Block: Use this filter to limit the logs to DNS responses that the service dropped.

  • Response Redirect: Use this filter to limit the logs to DNS responses that the service redirected.  

Rule name

Use this filter to limit the logs based on specific rules in the DNS Control policy. Choose the rules from the list.

Who 

  • Users: Use this filter to limit the logs to specific users who generated transactions. To use the Search function, enter either the user name or email address in the Search box and click Search. There is no limit on the number of users that you can select. Users that are deleted after they are selected appear with a strikethrough line.

  • Departments: Use this filter to limit the logs to specific departments that generated transactions. To use the Search function, enter the department name in the Search box and click Search. There is no limit on the number of departments that you can select. Departments that are deleted after they are selected appear with a strikethrough line.

Source

  • Locations: Use this filter to limit the logs to specific locations and sublocations. To use the Search function, enter the location name in the Search box and click Search. There is no limit on the number of locations that you can select. Locations that are deleted after they are selected appear with a strikethrough line.

  • Client IP Addresses: Use this filter to limit the logs based on a client’s IP address. You can enter:

    • An IP address (for example, 198.51.100.100)

    • A range of IP addresses (for example, 192.0.2.1-192.0.2.10)

    • An IP address with a netmask (for example, 203.0.113.0/24)

You can enter multiple entries. Hit Enter after each entry, then click Add Items. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.

Destination

  • Server IP Addresses: Use this filter to limit the logs to specific server IP addresses. You can enter:

    • An IP address (for example, 198.51.100.100)

    • A range of IP addresses (for example, 192.0.2.1-192.0.2.10)

    • An IP address with a netmask (for example, 203.0.113.0/24)

You can enter multiple entries. Hit Enter after each entry, then click Add Items. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.

  • Server Ports: Use this filter to limit the logs to specific server ports. You can specify individual ports and a range of ports. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.

  • IP Domain Classes: Use this filter to limit the logs to specific URL classes with the domain in the request.

  • IP Domain Super Categories: Use this filter to limit the logs to specific URL super categories with the domain in the request.

  • IP Domain Categories: Use this filter to limit the logs to specific URL categories associated with the domain in the request.  

Session

  • Domains: Use this filter to limit the logs to sessions associated with specific domains. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.

  • DNS Request Types: Use this filter to limit the logs to sessions associated with specific DNS request types.

  • DNS Response Codes: Use this filter to limit the logs to sessions associated with specific DNS response codes.

  • DNS Responses: Use this filter to limit the logs to sessions that contained specific data in the DNS responses. You can specify domain names, IPv4 and IPv6 addresses. For IPv4 addresses, You can enter:

    • An IP address (for example, 198.51.100.100)

    • A range of IP addresses (for example, 192.0.2.1-192.0.2.10)

    • An IP address with a netmask (for example, 203.0.113.0/24)

You can enter multiple entries separated by commas. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.

  • Durations: Use this filter to limit the logs based on the duration of the sessions, in seconds. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.