Send your audit logs to a SIEM
Read full documentation on how to use the Dashlane CLI to send your audit logs to a SIEM, here: https://github.com/Dashlane/dashlane-audit-logs
This projects allows you to retrieve your Dashlane’s audit log and send them in the SIEM or storage solution of your choice, using FluentBit. At the moment, we provide out of the box configurations for the following solutions:
- Azure log analytics workspace
- Azure blob storage
- Splunk
- Elasticsearch
This list is not restrictive, as others destination can be used. You can find the list of supported platforms on FluentBit’s website: https://docs.fluentbit.io/manual/pipeline/outputs
Prerequisites
In order to manage the Dashlane audit logs of your business account, you need to generate the credentials that will be used to pull the logs. The procedure can be found here: https://cli.dashlane.com/business
How does it work ?
The Docker image provided leverages the Dashlane CLI tool that will pull the audit logs and send them in your SIEM of choice. By default, when running the image in a container, the logs from DAY-1 will be retrieved, and new logs will be pulled every thirty minutes. To handle the logs, we included FluentBit with this basic configuration file:
[INPUT]
Name stdin
Tag dashlane
[OUTPUT]
Name stdout
Match *
Format json_lines
To send the logs to a new destination, you need to enrich this configuration file template and add an OUTPUT section such as described on the following sections. To use your custom configuration file, you need to override the DASHLANE_CLI_FLUENTBIT_CONF environment variable and set the path of your configuration file. The method to pass your file will depend on the plaform you use to run the image.
Accessing the logs
The first step to retrieve the audits logs is to run the custom image we provide and that can be found here: https://hub.docker.com/r/dashlane/audit-logs
This image can run on the platform of your choice. To make a simple test, you can deploy it with Docker by doing so:
Environment variables
DASHLANE_CLI_FLUENTBIT_CONF
- Path of the FluentBit configuration file
- Default to
/opt/fluent-bit.conf
DASHLANE_CLI_RUN_DELAY
- Delay between each log pull
- Default to
60
seconds
DASHLANE_TEAM_DEVICE_KEYS
- Secret key to authenticate against Dashlane servers as the team
- Documentation to generate the credentials
Running in Docker
docker pull dashlane/audit-logs
docker run -e DASHLANE_TEAM_DEVICE_KEYS=XXX -it dashlane/audit-logs:latest
Running those commands will create a simple container that pull your business every minutes and and print them on the stdout of the container.
Kubernetes
A helm chart is provided by the repository to deploy the service on Kubernetes.
helm install dashlane-audit-logs dashlane-audit-logs/
Some example of configuration is provided in example/
.
SIEM configuration
Azure Log analytics workspace
To send your Dashlane audit logs on Azure in a Log Analytics Workspace, you can use the template provided in the dashlane-audit-logs repository. The template will create a container instance that will automatically pull and run the Dashlane Docker image and send the logs in a ContainerInstanceLog_CL table in the Log Analytics Workspace of your choice. Before deploying the template you will have to provide:
- The location where you want your container to run (ex: “West Europe”)
- Your Dashlane credentials
- Your Log Analytics Workspace ID and Shared Key
Click on the button to start the deployment
Azure blob storage
If you want to send your logs to an Azure storage account, you can use the deployment template we provide in the dashlane-audit-logs repository, which will:
- Create a storage account and a file share to upload a custom FluentBit configuration file
- Create a container instance running the Docker image with your custom file
You will need:
- Your Dashlane credentials
- A custom FluentBit configuration file
Click on the button to start the deployment
Once your container is deployed, copy the following configuration into a file called “fluent-bit.conf”.
[INPUT]
Name stdin
Tag dashlane
[OUTPUT]
Name stdout
Match *
Format json_lines
[OUTPUT]
name azure_blob
match *
account_name ${STORAGE_ACCOUNT_NAME}
shared_key ${ACCESS_KEY}
container_name audit-logs
auto_create_container on
tls on
blob_type blockblob
Then upload in the storage account you just created. In the Azure Portal, go to Storage accounts, select the one you just created, go to File shares, select fluentbit-configuration and upload your configuration file.
The “blob_type” configuration specifies to create a blob for every log entry on the storage account, which facilitates the logs manipulation for eventual post-processing treatment.
The configuration provided above is meant to be working out of the box, but can be customized to suit your needs. You can refer to FluentBit’s documentation to see all available options: https://docs.fluentbit.io/manual/pipeline/outputs/azure_blob
Splunk
If you want to send your logs to Splunk, you need to create a HEC (HTTP Event Collector) on your Splunk instance. As an example, we will show here how to create one on a Splunk Cloud instance.
1- On the Splunk console, go to “Settings / Data input” and click on Add New in the HTTP Event Collector line.
2- Give your collector a name and click Next
3- In the Input settings tab keep the option as is and click on Next
4- In the Review tab, click on Submit. You should see a page indicating that the collector has been created.
The token provided will be used to authenticate and send the logs to your Splunk instance.
You can make a test by running the following command:
curl -k https://$SPLUNK_URL.com:8088/services/collector/event -H "Authorization: Splunk $SPLUNK_TOKEN" -d '{"event": "Dashlane test"}'
If all is working you should receive the following response:
{"text":"Success","code":0}
Finally, to send your Dashlane logs to Splunk, you need to customize your FluentBit configuration file by adding the relevant Splunk configuration:
[OUTPUT]
Name splunk
Match *
Host splunk-instance.com
Port 8088
TLS On
splunk_token ${SPLUNK_TOKEN}
Here, you just need to change the host parameter and indicate yours, and pass your Splunk token as an environment variable to the container. Once the data are sent, you can query them by going to the “Apps/Search and reporting” menu in the console and type this basic query in the search bar:
index=* sourcetype=*
You should now be able to access your Dashlane audit logs.
Elasticsearch
Work in progress
Output configuration for Elasticsearch
[OUTPUT]
Name es
Match *
Host host
Port 443
tls on
HTTP_User user
HTTP_Passwd pwd
Suppress_Type_Name On
Notes
All configuration are provided as is and designed to work out of the box. If you want customize them, you can consult the FluentBit documentation: https://docs.fluentbit.io/manual/pipeline/outputs