Collect F5 DNS logs

Supported in:

This document explains how to ingest F5 DNS logs to Google Security Operations using the Bindplane agent.

F5 BIG-IP DNS is a DNS delivery solution that generates syslog messages for DNS queries, responses, and system events. The parser extracts fields from syslog-formatted logs and maps them to the Unified Data Model (UDM).

Before you begin

Make sure you have the following prerequisites:

  • A Google SecOps instance
  • Windows Server 2016 or later, or Linux host with systemd
  • Network connectivity between the Bindplane agent and the F5 BIG-IP appliance
  • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
  • Privileged access to F5 BIG-IP

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.

  3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.

  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

  1. Open Command Prompt or PowerShell as an administrator.

  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

  3. Wait for the installation to complete.

  4. Verify the installation by running:

    sc query observiq-otel-collector

    The service should show as RUNNING.

Linux installation

  1. Open a terminal with root or sudo privileges.

  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

  3. Wait for the installation to complete.

  4. Verify the installation by running:

    sudo systemctl status observiq-otel-collector

    The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see the Bindplane agent installation guide.

Configure the Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

  • Linux:

    sudo nano /etc/bindplane-agent/config.yaml

  • Windows:

    notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

  • Replace the entire contents of config.yaml with the following configuration:

    receivers:
    udplog:
        listen_address: "0.0.0.0:514"

exporters:
    chronicle/f5_dns:
        compression: gzip
        creds_file_path: '/etc/bindplane-agent/ingestion-auth.json'
        customer_id: '<customer_id>'
        endpoint: malachiteingestion-pa.googleapis.com
        log_type: F5_DNS
        raw_log_field: body

service:
    pipelines:
        logs/f5_dns_to_chronicle:
            receivers:
                - udplog
            exporters:
                - chronicle/f5_dns

Configuration parameters

Replace the following placeholders:

  • Receiver configuration:

    • listen_address: IP address and port to listen on:
      • 0.0.0.0 to listen on all interfaces (recommended)
      • Port 514 is the standard syslog port (requires root on Linux; use 1514 for non-root)

  • Exporter configuration:

    • creds_file_path: Full path to ingestion authentication file:
      • Linux: /etc/bindplane-agent/ingestion-auth.json
      • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
    • customer_id: Customer ID copied from the Google SecOps console
    • endpoint: Regional endpoint URL:
      • US: malachiteingestion-pa.googleapis.com
      • Europe: europe-malachiteingestion-pa.googleapis.com
      • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
      • See Regional Endpoints for complete list

Save the configuration file

  • After editing, save the file:
    • Linux: Press Ctrl+O, then Enter, then Ctrl+X
    • Windows: Click File > Save

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart observiq-otel-collector

    1. Verify the service is running:

      sudo systemctl status observiq-otel-collector

    2. Check logs for errors:

      sudo journalctl -u observiq-otel-collector -f

  • To restart the Bindplane agent in Windows, choose one of the following options:

    • Command Prompt or PowerShell as administrator:

      net stop observiq-otel-collector && net start observiq-otel-collector

    • Services console:

      1. Press Win+R, type services.msc, and press Enter.
      2. Locate observIQ OpenTelemetry Collector.
      3. Right-click and select Restart.

      4. Verify the service is running:

        sc query observiq-otel-collector

      5. Check logs for errors:

        type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

Configure a pool of remote logging servers

  1. Sign in to the F5 BIG-IP web UI.
  2. On the Main tab, go to DNS > Delivery > Load Balancing > Pools or Local Traffic > Pools.
  3. Click Create.
  4. Provide the following configuration details:
    • Name: Enter a unique name for the pool.
    • Using New Members setting:
      • Enter the Bindplane agent IP address in the Address field.
      • Enter the Bindplane agent port number in the Service Port field.
  5. Click Add > Finished.

Configure the remote log destination

  1. On the Main tab, go to System > Logs > Configuration > Log Destinations.
  2. Click Create.
  3. Provide the following configuration details:
    • Name: Enter a unique name for this destination.
    • Type: Select Remote High-Speed Log.
    • Pool Name: Select the pool of remote log servers to which you want the BIG-IP system to send log messages.
    • Protocol: Select the protocol used.
  4. Click Finished.

Creating a formatted remote log destination

  1. On the Main tab, go to System > Logs > Configuration > Log Destinations.
  2. Click Create.
  3. Provide the following configuration details:
    • Name: Enter a unique name for this destination.
    • Type: Select Remote Syslog.
    • Format: Select the log format.
    • Forward To: Select High-Speed Log Destination > the destination that points to the pool of remote Syslog servers.
  4. Click Finished.

Configure Log Publisher

  1. On the Main tab, go to System > Logs > Configuration > Log Publishers.
  2. Click Create.
  3. Provide the following configuration details:
    • Name: Enter a unique name for this publisher.
    • Destinations: Select the newly-created destination for Remote Syslog from the Available list, and then click Move to move the destination to the Selected list.
  4. Click Finished.

Configure a custom DNS logging profile

  1. On the Main tab, go to DNS > Delivery > Profiles > Other > DNS Logging or Local Traffic > Profiles > Other > DNS Logging.
  2. Click Create.
  3. Provide the following configuration details:
    • Name: Enter a unique name for this profile.
    • Log Publisher: Select the newly-created destination to which the system sends DNS log entries.
    • Log Queries: Select the Enabled checkbox.
    • Log Responses: Select the Enabled checkbox.
    • Include Query ID: Select the Enabled checkbox.
  4. Click Finished.

Add the DNS profile to the DNS Listener

  1. On the Main tab, go to DNS > Delivery > Listeners > select DNS listener.
  2. From the DNS profile in the Service section, select the DNS profile that you configured previously.
  3. Click Update.

UDM mapping table

Log Field UDM Mapping Logic
application principal.application Directly mapped from the application field.
cipher_name network.tls.cipher Directly mapped from the cipher_name field.
command_line principal.process.command_line Directly mapped from the command_line field.
desc security_result.description Directly mapped from the desc field.
desc_icrd security_result.description Directly mapped from the desc_icrd field.
dest_ip target.ip Directly mapped from the dest_ip field.
dest_port target.port Directly mapped from the dest_port field.
file_path principal.process.file.full_path Directly mapped from the file_path field. Set to true if level is "alert", otherwise not present. Set to true if level is "alert", otherwise not present.
msg3 security_result.description Directly mapped from the msg3 field when application is "run-parts".
metadata.event_type Set to GENERIC_EVENT if event_type is empty, otherwise mapped from event_type. Hardcoded to "DNS". Hardcoded to "F5".
principal_hostname principal.hostname Directly mapped from the principal_hostname field.
proc_id principal.process.pid Directly mapped from the proc_id field.
received_bytes network.received_bytes Directly mapped from the received_bytes field.
resource_id target.resource.id Directly mapped from the resource_id field.
resource_parent principal.resource.parent Directly mapped from the resource_parent field.
response_code network.http.response_code Directly mapped from the response_code field. Determined based on the level field.
src_ip principal.ip Directly mapped from the src_ip field.
src_port principal.port Directly mapped from the src_port field.
tls_version network.tls.version Directly mapped from the tls_version field.
userName principal.user.userid Directly mapped from the userName field.
when event.timestamp Calculated from datetime1 and timezone or datetime and timezone.

Need more help? Get answers from Community members and Google SecOps professionals.