Has anyone had success collecting DNS query log data from a Windows 2012 Server DNS Server? I've installed the Nitro collector on the machine, but am having trouble getting the data to my Receiver and then viewing them in ESM.
What does your collector ePO policy look like?
It should be as follows:
When you add your data source in the SIEM, the datasource host ID must be the same as the Host Id in the collector management utility.
In my case, the Host id of my datasource was <servername>-DNS.
Thanks - I ended up getting this configured and am now receiving DNS queries into my SIEM. Oddly enough, the default "Selected Network Adapter" was the wrong selection. Once I fixed that, events started pouring in. The debug log was incredibly helpful with troubleshooting.
DNS query logging needs to be enabled on the server. In my case, I'm using Windows Server for DNS. Here's my config.
Data Source Vendor : Microsoft
Data Source Model : Windows DNS (ASP)
Data Format : Default
Data Retreival : MEF
I've enabled Parsing and Logging
Specify your DNS server IP Address.
Host ID is blank.
Use Encryption is checked.
Support Generic Syslogs : Do Nothing