9 Replies Latest reply on Jun 12, 2014 8:42 AM by Regis

    AD DNS logs

    feeeds

      I was wondering if anyone else is using, or trying to use the Mcafee Event collector Utility to pull DNS logs from AD into the collector? We have set up our DC's to create flat files of DNS logs and want to import them into the SIEM.  Has anyone attempted something similar ?

        • 1. Re: AD DNS logs
          hcmay

          Currently I have over 30 Windows DNS server that I am collecting data from using the event collector.  I found the following KB to be helpful.

           

          https://kc.mcafee.com/corporate/index?page=content&id=KB74849&actp=search&viewlo cale=en_US&searchid=1359617245740

          • 2. Re: AD DNS logs
            feeeds

            hcmay, that was the KB that I used to set up the collector. The debug just shows "no data to process" even though the DNS flat file is growing due to large number of DNS requests.  Do you have both the hostID and the IP set for the collector and the event source? Support is having a hard time figuring out why the events are not being seen.

            I assume the regex that is added to the event collector accounts for the 10 or so lines of txt on the top of the DNS logging file ?

            • 3. Re: AD DNS logs
              hcmay

              I am using Host IDs.  They are case sensitive and have to match on the SEIM

               

              20130523_DNS.JPG

              • 4. Re: AD DNS logs
                feeeds

                How do you have the DNS server properties configured?

                DNS.JPG

                • 5. Re: AD DNS logs
                  abukhari

                  remove the ^ or carrot in your regex line and it should work

                  • 6. Re: AD DNS logs
                    rth67

                    What kind of volume of events per day are you getting from your DNS Logs (compared to other Windows Event Logs)? Did you have to change the Aggregation settings at all to gain value from the logs? 

                    • 7. Re: AD DNS logs
                      feeeds

                      The volume is fairly minimal as compared to our other AD logs.  The value is also suspect. There are several different DNS query types, and not all of them provide valuable data.  Our users point to our AD domain controllers for DNS, so in the DNS logs, we see the AD server as the source, with the requested site as the destination. We really want the logs to show the original source who made the DNS query of the domain controller.

                      • 8. Re: AD DNS logs
                        feeeds

                        For those of you who use this succesfully, how do you deal with the log rotation? The log file stops getting written to, and then it does not create a new file.

                        • 9. Re: AD DNS logs
                          Regis

                          Microsoft logging is goofy on DNS query logs.   

                           

                          I'm curious if anyone is doing DNS query logging to a file as shown in feeds' screenshot above,  and successfully grabbing those files into nitro via CIFS.   Currently experiencing a lot of trouble with that as for whatever reason,  our domain controllers don't update the file timestamps on the dns log file on a regular basis even if new events are definitely being added to the log file.   The CIFS collector from the receiver appears to not pull the file unless its timestamp is newer than the last time it pulled it.  

                           

                          For those using the event collector, is anyone using it on a DC?   Adding any additional McAfee branded software to a Windows server is always a tough sell for Windows administrators ... and I wish I could say they didn't have good reasons for being cautious.

                           

                          on 6/12/14 8:42:52 AM CDT