Data Source Configuration for Different Logs gathered with the Collector
I'd like some assistance to properly configure a data source that will collect different types of log.
The device in question is a DNS server: it will collect the typical Windows Event Logs ( System, Security, Applications) but I need to also collect the DNS debug logs. The SIEM Collector has been configured to collect these 4 logs in one policy, but both Windows Event Logs and DNS have their own Data Source Model, which I assume relate to proper data parsing. On the ESM, which would be the best way to configure the data source and leveraging the Parent/Client structure? I need to ensure both types of logs are properly parsed.
Re: Data Source Configuration for Different Logs gathered with the Collector
Thank you SSSSYYYY.
I was under the impression that the collector would generate a unique HOSTID per device once it is installed, and that unique HOSTID is what needs to be used at the ERC. So how would I generate 2 hostID for the same data source? Maybe I am understanding the concept entirely wrong.
Can you please elaborate how you would accomplish what you suggested? Remember that it is one server with 2 types of logs I need to collect from it: Windows Events, and Windows DNS.
I am fairly new to the SIEM, and greatly I appreciate all your guidance, tips and tricks.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.