Thanks - I ended up getting this configured and am now receiving DNS queries into my SIEM. Oddly enough, the default "Selected Network Adapter" was the wrong selection. Once I fixed that, events started pouring in. The debug log was incredibly helpful with troubleshooting.
please share the steps u followed to add DNS data source. I have collector running on DNS server.
DNS query logging needs to be enabled on the server. In my case, I'm using Windows Server for DNS. Here's my config.
Data Source Vendor : Microsoft
Data Source Model : Windows DNS (ASP)
Data Format : Default
Data Retreival : MEF
I've enabled Parsing and Logging
Specify your DNS server IP Address.
Host ID is blank.
Use Encryption is checked.
Support Generic Syslogs : Do Nothing