Dave Glover

Pi-hole log support in NetWitness

Discussion created by Dave Glover Employee on Nov 5, 2020

Many of you may be using a Pi-hole in your home labs, or even at the office.  The issue is the logs are stored in a local text file and NetWitness does not support the logs.

 

As many know DNS records are very useful in threat hunting, so I wanted to bring these into my NetWitness deployment.

 

I was able to build support for Pi-hole, and by following these directions you can support PI-hole in your NetWitness deployment.

 

Start with logging into your Pi-hole system

 

Step 1: You need to locate your Pi-hole logs.  By default these are located in /var/log.pi-hole.log

Step 2: You need to add the following to your /etc/rsyslog.conf file on your Pi-hole system (at the bottom if the file will be just fine)

 

$ModLoad imfile # load the imfile input module

$InputFileName /var/log/pihole.log

$InputFileTag %pihole-DNS
$InputFileStateFile state-pihole
$InputRunFileMonitor
*.* @{ip of your log decoder]

 

 

Once you add those you need to save the file and restart rsyslog

 

sudo systemctl restart rsyslog

 

At this point the Pi-hole will be sending the logs to NetWitness.  Now we need to set up NetWitness to parse the logs.

 

Included in this post is the parser in zip format.  In the NetWitness UI navigate to 'configure' -> 'Live Content' 

Click on 'Package' and select 'Deploy'   Select the zip file from this post.  Apply the parser to the log decoder[s].

 

You will need to add the following field to the table-map-custom file on the log decoder

 

<mapping envisionName="dns_querytype" flags="None" nwName="dns.querytype"/>

 

You will the need to reload the parsers to apply that change   

 

services->log decoder -> explore   open log decoder and right click 'parsers'  and then select reload in the menu and then click the blue 'send' button

 

Then that meta key needs to be indexed by adding the following to the index-concentrator-custom.xml file on the concentrator[s]  

 

<key description="DNS Query Type" format="Text" level="IndexValues" name="dns.querytype " valueMax="1000000"/>

 

You will then need to save the current index file to have this new configuration loaded.

 

services->concentrator-> explore    right click on 'index' and then in the dropdown select 'save' then click the blue send button

 

Once you have followed these steps you should have data parsing as below:

 

 

 

 

If you have any question please feel free to reach out

Attachments

Outcomes