Serverless Network Log Shipping, Enrichment & ETL with Oracle Functions to SIEM (Splunk | Qradar ) on Oracle Cloud Infrastructure

This article outlines the architecture and deployment methodology to export a scalable, low-cost, zero-maintenance method of enriching and exporting Network Flow Logs also known as VCN Flow Logs in Oracle Cloud Infrastructure.

Data Flow Architecture

What questions do Plain Flow Logs help answer

Which Source ?
Which Destination ?
Which Protocol?
Did it pass through the firewall ?

What questions do Enhanced Flow logs help answer

What is the Virtual NIC did this packet originate from ?
Which Subnet is the Virtual NIC a part of ?
Which VCN the Subnet a part of ?
What is the Security List or Network Security Group that let this packet flow or get rejected or dropped ? 
Which compartment do all these resources belong to ?

This can be considered as a follow-up article to the one below that outlines how to use a serverless pipeline to export Audit events to Splunk. Link to the previous article below.

Delivering a low-cost, scalable, audit events pipeline to a SIEM (Splunk | QRadar ) from Oracle…

Statistics

Number of Data Centers / Regions in Tenancy - 4 Regions
Number of Compartments in each Region       - 96 Compartments
Number of VCNs in tenancy      - 119
Number of Subnets per VCN      - 2 Subnets / VCN
Number of Unique Flow Log events processed/ day   - 40 Mio. + Events

Design Goals

Event driven 
Scalable
Low-Cost
Zero maintenance
Secure
Least Privilege Access

For the Impatient

Link to the entire source code and deployment tutorial.

vamsiramakrishnan/splunk-export-logs

Components Used

Logging

OCI Logging service is a cloud-native, completely managed service that can Collect, Index, Search & Aggregate Logs from multiple log sources ( OCI Services). OCI Logging here is leveraged to extract VCN Flow Log Information from each subnet in the tenancy.

Whitelist your tenancy for Logging

Announcing Limited Availability of Oracle Cloud Infrastructure Logging Service

Object Storage

Object Storage is low-cost, highly-scalable, the zero-management target for all VCN Flow log files, Automated object lifecycle policies set on the objects helps in simplified garbage collection of log-files pushed by logging service after being processed by the serverless data pipeline.

Events Service

The glue of the event-driven architecture generates events when log files are created in the object storage based on a pre-defined set of conditions. Events service is an extremely useful service that can be leveraged to drive highly automated, zero-ops workflows.

Filter and Trigger Event only on Object Creation

Functions

Oracle Functions is an extension to the popular open-source Fn Project backed by Oracle.Oracle Cloud Infrastructure provides seamless integration with the Fn-project, adds simplified code to deploy functionality with popular languages such as Python, Java etc. In this architecture, the enrich-flow-log function does the following

1. Read the flow log object created
2. Extract the object metadata and use it to populate the network metadata by querying the OCI API
3. Parses the log file into a JSON document
4. Uses the Splunk HEC interface to publish it to Splunk.

Raw VCN Flow Log

HEADERS
--------
<version>
<srcaddr>
<dstaddr>
<srcport>
<dstport>
<protocol>
<packets>
<bytes>
<start_time>
<end_time>
<action>
<status>
PAYLOAD
--------
2 172.16.2.145 172.16.2.179 82 64 13 112 441 1557424462 1557424486 REJECT OK

Enriched JSON

The metadata enhances the readability and eases debugging by setting the following context

{
    "version": "",
    "srcaddr": "-",
    "dstaddr": "-",
    "srcport": "-",
    "dstport": "-",
    "protocol": "-",
    "packets": "-",
    "bytes": "-",
    "start_time": "",
    "end_time": "
    "status": "",
    "compartmentId": "",
    "compartmentName": "",
    "availabilityDomain": "",
    "vcnId": "",
    "vcnName": "",
    "subnetId": "",
    "subnetName": "",
    "vnicId": "",
    "vnicName": "",
    "securityListIds": [""],
    "securityListNames": [""],
    "nsgIds": [],
    "nsgNames": []
}

Deployment Architecture

Ease of Use
=> Zero patching
=> Zero Maintenance
=> No need to size 
=> Deploy and Forget model

Scalability:
=> Functions are massively parallel
=> The entire architecture is event driven

Security:
=> The Function is deployed on a private subnet
=> Instance Principals and Dynamic groups for Least privilege 
=> No Ingress traffic is allowed.
=> Object Storage Access through Service Gateway only
=> Egress to Splunk through NAT Gateway
=> Egress allowed only on specific Splunk Ports & Url

Cost
=> Truly pay-per-use
=> Events are based on invocations only 
=> Object Storage Policy to retain objects for only 1 Day 
=> Fn cost based on invocations only

Further Reading

Flow Logs

Here’s a brief description of what VCN Flow logs are

Announcing VCN Flow Logs for Oracle Cloud Infrastructure

Resource Properties

OCI Resources are organized inside of compartments and span across basic building blocks such as, regions, availability domains etc. This is a refresher to understand why we need one setup per region

First Principles

Multi-Region Deployment Architecture

Below is a representation of how this setup can be extended to multiple regions populating data to the same Splunk instance.

Other Similar Blogs

How to Ingest VCN Flow Logs into Splunk