cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Data Source Configuration for Different Logs gathered with the Collector

Hello, I'd like some assistance to properly configure a data source that will collect different types of log. The device in question is a DNS server: it will collect the typical Windows Event Logs ( System, Security, Applications) but I need to also collect the DNS debug logs. The SIEM Collector has been configured to collect these 4 logs in one policy, but both Windows Event Logs and DNS have their own Data Source Model, which I assume relate to proper data parsing. On the ESM, which would be the best way to configure the data source and leveraging the Parent/Client structure? I need to ensure both types of logs are properly parsed. Thanks!
3 Replies
Highlighted

Re: Data Source Configuration for Different Logs gathered with the Collector

I have two DS on ERC, and two config on Collector, use HostID to differentiate. 

Highlighted

Re: Data Source Configuration for Different Logs gathered with the Collector

Thank you SSSSYYYY.

I was under the impression that the collector would generate a unique HOSTID per device once it is installed, and that unique HOSTID is what needs to be used at the ERC. So how would I generate 2 hostID for the same data source? Maybe I am understanding the concept entirely wrong. 

Can you please elaborate how you would accomplish what you suggested? Remember that it is one server with 2 types of logs I need to collect from it: Windows Events, and Windows DNS.

I am fairly new to the SIEM, and greatly I appreciate all your guidance, tips and tricks.

Highlighted

Re: Data Source Configuration for Different Logs gathered with the Collector

the workflow in my mind: 

- create a data source for App,Sys,Security on ERC, put in IP, choose MEF method, host-id = serverA_wmi

- create a client on SIEM collector called WMI, use host-id = serverA_wmi, setup the logging. 

- verify you are getting app,sys,sec events. 

- create another data source for DNS, leave out IP (because connection is already there), choose MEF, host-id = serverA_DNS

- create a client on SIEM collector called, DNS, use host-id = serverA_DNS, setup the logging (think it's a custom log trail). 

- verify you are getting DNS logs.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community