Serverless Network Log Shipping, Enrichment & ETL with Oracle Functions to SIEM (Splunk | Qradar ) on Oracle Cloud Infrastructure
This article outlines the architecture and deployment methodology to export a scalable, low-cost, zero-maintenance method of enriching and exporting Network Flow Logs also known as VCN Flow Logs in Oracle Cloud Infrastructure.
What questions do Plain Flow Logs help answer
Which Source ?
Which Destination ?
Which Protocol?
Did it pass through the firewall ?
What questions do Enhanced Flow logs help answer
What is the Virtual NIC did this packet originate from ?
Which Subnet is the Virtual NIC a part of ?
Which VCN the Subnet a part of ?
What is the Security List or Network Security Group that let this packet flow or get rejected or dropped ?
Which compartment do all these resources belong to ?
This can be considered as a follow-up article to the one below that outlines how to use a serverless pipeline to export Audit events to Splunk. Link to the previous article below.
Statistics
Number of Data Centers / Regions in Tenancy - 4 Regions
Number of Compartments in each Region - 96 Compartments
Number of VCNs in tenancy - 119
Number of Subnets per VCN - 2 Subnets / VCN
Number of Unique Flow Log events processed/ day - 40 Mio. + Events
Design Goals
Event driven
Scalable
Low-Cost
Zero maintenance
Secure
Least Privilege Access
For the Impatient
Link to the entire source code and deployment tutorial.
Components Used
Logging
OCI Logging service is a cloud-native, completely managed service that can Collect, Index, Search & Aggregate Logs from multiple log sources ( OCI Services). OCI Logging here is leveraged to extract VCN Flow Log Information from each subnet in the tenancy.
Whitelist your tenancy for Logging
Object Storage
Object Storage is low-cost, highly-scalable, the zero-management target for all VCN Flow log files, Automated object lifecycle policies set on the objects helps in simplified garbage collection of log-files pushed by logging service after being processed by the serverless data pipeline.
Events Service
The glue of the event-driven architecture generates events when log files are created in the object storage based on a pre-defined set of conditions. Events service is an extremely useful service that can be leveraged to drive highly automated, zero-ops workflows.
Functions
Oracle Functions is an extension to the popular open-source Fn Project backed by Oracle.Oracle Cloud Infrastructure provides seamless integration with the Fn-project, adds simplified code to deploy functionality with popular languages such as Python, Java etc. In this architecture, the enrich-flow-log function does the following
- Read the flow log object created
- Extract the object metadata and use it to populate the network metadata by querying the OCI API
- Parses the log file into a JSON document
- Uses the Splunk HEC interface to publish it to Splunk.
Raw VCN Flow Log
HEADERS
--------
<version>
<srcaddr>
<dstaddr>
<srcport>
<dstport>
<protocol>
<packets>
<bytes>
<start_time>
<end_time>
<action>
<status>PAYLOAD
--------2 172.16.2.145 172.16.2.179 82 64 13 112 441 1557424462 1557424486 REJECT OK
Enriched JSON
The metadata enhances the readability and eases debugging by setting the following context
{
"version": "",
"srcaddr": "-",
"dstaddr": "-",
"srcport": "-",
"dstport": "-",
"protocol": "-",
"packets": "-",
"bytes": "-",
"start_time": "",
"end_time": "
"status": "",
"compartmentId": "",
"compartmentName": "",
"availabilityDomain": "",
"vcnId": "",
"vcnName": "",
"subnetId": "",
"subnetName": "",
"vnicId": "",
"vnicName": "",
"securityListIds": [""],
"securityListNames": [""],
"nsgIds": [],
"nsgNames": []
}
Deployment Architecture
Ease of Use
=> Zero patching
=> Zero Maintenance
=> No need to size
=> Deploy and Forget model
Scalability:
=> Functions are massively parallel
=> The entire architecture is event driven
Security:
=> The Function is deployed on a private subnet
=> Instance Principals and Dynamic groups for Least privilege
=> No Ingress traffic is allowed.
=> Object Storage Access through Service Gateway only
=> Egress to Splunk through NAT Gateway
=> Egress allowed only on specific Splunk Ports & Url
Cost
=> Truly pay-per-use
=> Events are based on invocations only
=> Object Storage Policy to retain objects for only 1 Day
=> Fn cost based on invocations only
Further Reading
Flow Logs
Here’s a brief description of what VCN Flow logs are
Resource Properties
OCI Resources are organized inside of compartments and span across basic building blocks such as, regions, availability domains etc. This is a refresher to understand why we need one setup per region
Multi-Region Deployment Architecture
Below is a representation of how this setup can be extended to multiple regions populating data to the same Splunk instance.