cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 5

Multiple windows logs from one domain controller

Hello,

Does anyone know how to get multiple logs from the same windows domain controller? I can get Application, Security, and System logs by using WMI. When I select DNS and directory service logs, they are not complete and are missing parts of the event itself (like the user). So i saw that, at least for DNS, there is a data source specifically for Windows DNS (ASP). So i tried to add a client data source under the domain controller as per the online help file. But then I get errors that the hostname or the IP address is in use. How can I retrieve the basic logs as well as the DNS and directory services logs from the same domain controller? Thanks!

4 Replies
Highlighted
Level 12
Report Inappropriate Content
Message 2 of 5

Re: Multiple windows logs from one domain controller

Hi,

by default the siem should deliver all Logs from the Datasource.

Try this: (you lost all logs befor)

Delete the datasource

And than add the datasource with all log configuration.

Try also is this dont work:

There is a McAfee Event Collector for Windows. Install this Event Collector to get all Logs from the Datasource. This collector is also for more Logsources from one Datasource.

Highlighted

Re: Multiple windows logs from one domain controller

First, using WMI you can get all the event logs.

wmi.png

This will give you all the known event logs on that device.

There is a KB on adding DNS and will be using a different format.

In the DNS example, use the DNS name, and do not put in the IP address when you configure the data source.

Highlighted

Re: Multiple windows logs from one domain controller

You will have to deploy SIEM collector agent on the Domain controller to get the DNS logs. The basic wmi data source configuration will only pull basic system logs (system, application,security) you need the agent to pull the rest.

Highlighted

Re: Multiple windows logs from one domain controller

You can get the more detailed DNS logs by either using an agent such as the SIEM Collector, or by ingesting the logs via SCP, SFTP, CIFS share, etc. Either way, a WMI pull only gets you so much. Applications such as DNS, Exchange, IIS, etc, require agents or file pulls because Microsoft does not place all the wanted information in the event viewer and make it available for a WMI pull. Microsoft instead puts the interesting logs in a separate flat file. 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community