/
dnstap-receiver Configuration
Document toolboxDocument toolbox

dnstap-receiver Configuration

Owned by Shirly Tsang
May 23, 2024
2 min read

NIOS currently has no way to store or process dnstap logs after they leave the Grid. You will need some way to unpack and read the incoming dnstap messages from NIOS. A simple solution is to install dnstap-receiver, a python module that receives dnstap messages and outputs them in a way Elastic can ingest. It supports several input stream types and can be configured to output readable data in many ways, such as to a syslog server, stdout, a file, and more.

We will be using dnstap-receiver to ingest the dnstap messages from NIOS and output them to a file. Later, we will configure Logstash to ingest the file into Kibana. dnstap-receiver is configured with external config files, similar to Logstash. Let’s create the config file that will output the readable messages to a file.  Note: For this demo, dnstap-receiver was installed on the same Ubuntu VM as Elastic. It is best practice to keep these pieces of software installed on separate VMs. 

  1. Access the machine where your dnstap-receiver instance is installed. Follow the installation instructions on its Python module page to install it. 

  2. Open a terminal.

  3. To keep tidy, create a new directory for which dnstap will output the logfile that will be ingested by Elastic: 

sudo mkdir /var/log/dnstap

  1. Then create the logfile. Note: We do this because the logfile must exist before executing dnstap-receiver. Otherwise it will throw an error. 

sudo touch /var/log/dnstap/dnstap.json

  1. You must allow the logfile to be written to by dnstap-receiver. Enter the following command to allow all the files inside /var/log/dnstap to be readable, writable, and executable to all users on the computer. You can store the logfile in a writeable directory somewhere else, such as Documents, if you do not wish to change permissions.

sudo chmod -R 777 /var/log/dnstap/

  1. Now create a new directory for which the config file will live: 

sudo mkdir /etc/dnstap-receiver

  1. Then create the config file: 

sudo touch /etc/dnstap-receiver/dnstap.conf

  1. Open the file with gedit for editing:

sudo gedit /etc/dnstap-receiver/dnstap.conf

  1. Copy and paste the following into the file. Save and close the file when finished. 

output: file: # enable or disable enable: true # format available text|json|yaml format: json # log file path or null to print to stdout file: /var/log/dnstap/dnstap.json # max size for log file file-max-size: 100M # number of max log files file-count: 10

This file tells dnstap-receiver to output the dnstap messages in json format to the dnstap.json file we created earlier. You can set various other parameters here, such as the max file size of the logfile or the max number of files to keep.
These files can potentially become very large so adjust and rotate according to your needs. Logstash offers  many modules to simplify this.

 

Related content