cancel
Showing results for 
Search instead for 
Did you mean: 
dtmc
Level 7
Report Inappropriate Content
Message 1 of 5

Multiple windows logs from one domain controller

Hello,

Does anyone know how to get multiple logs from the same windows domain controller? I can get Application, Security, and System logs by using WMI. When I select DNS and directory service logs, they are not complete and are missing parts of the event itself (like the user). So i saw that, at least for DNS, there is a data source specifically for Windows DNS (ASP). So i tried to add a client data source under the domain controller as per the online help file. But then I get errors that the hostname or the IP address is in use. How can I retrieve the basic logs as well as the DNS and directory services logs from the same domain controller? Thanks!

4 Replies
xded
Level 12
Report Inappropriate Content
Message 2 of 5

Re: Multiple windows logs from one domain controller

Hi,

by default the siem should deliver all Logs from the Datasource.

Try this: (you lost all logs befor)

Delete the datasource

And than add the datasource with all log configuration.

Try also is this dont work:

There is a McAfee Event Collector for Windows. Install this Event Collector to get all Logs from the Datasource. This collector is also for more Logsources from one Datasource.

Re: Multiple windows logs from one domain controller

First, using WMI you can get all the event logs.

wmi.png

This will give you all the known event logs on that device.

There is a KB on adding DNS and will be using a different format.

In the DNS example, use the DNS name, and do not put in the IP address when you configure the data source.

Re: Multiple windows logs from one domain controller

You will have to deploy SIEM collector agent on the Domain controller to get the DNS logs. The basic wmi data source configuration will only pull basic system logs (system, application,security) you need the agent to pull the rest.

Highlighted

Re: Multiple windows logs from one domain controller

You can get the more detailed DNS logs by either using an agent such as the SIEM Collector, or by ingesting the logs via SCP, SFTP, CIFS share, etc. Either way, a WMI pull only gets you so much. Applications such as DNS, Exchange, IIS, etc, require agents or file pulls because Microsoft does not place all the wanted information in the event viewer and make it available for a WMI pull. Microsoft instead puts the interesting logs in a separate flat file. 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator