At first, try to add this data source to the SIEM and the start the SIEM Collector utility.
Hi MK, sorry did not update my question, but yes it is right on money and I found it a couple hours after I post it.
But, I am still fighting to get data to SIEM from collector.
I have set it up, collector, on the remote box to collect Windows Logs / DNS Server from 2 DNS servers, with Log level: Info and Domain Admin account.
I can see packets coming to the receiver on port 8082, but the length of the packets are 0 or seldom 16, so my data file in /var/log/data/inline/thirdparty.logs/xx/NPP_c/in/ folder is 0.
I found that some people were able to use collector 11 to collect DNS and DHCP logs, but I don't see how.
You should use Generic Log Tail - it's pretty the same like in 10:
from page 11:
yes, it is set exactly the way like in the guide, the dns.log is on the c: drive in the shared folder and the account I am using has full permissions to the folder and it is a domain admin.
I can see data coming to receiver, but mostly 0 length or 37, so the .../in/data.xxxx file has 0 bytes and nothing to show.
I think I am questioning the whole SIEM Collector 11 concept, I even tried to collect locally the Event logs - same result.
Opened a case with Intel Support, but the tech there gave me an "odd" answer, they have an internal document that telling them that we cannot collect dns logs - they are locked by another process and I have to call Microsoft. For some reason he would not share the document with me, even we are Gold Partners with them.
Any other suggestions ????
Without seeing the full configuration and debug logs... I can't be sure, but I would start with making sure your datasource configuration is correct and matches the SIEM Collector.
Datasource should be Vendor: Microsoft. Model: Windows DNS (ASP). Format: Default Collection method: MEF
- IP address should match the source IP that the SIEM Collector will be sending from (or if you have another MEF datasource with the same IP, can be left blank)
- Host ID needs to match exactly with the host ID configured in the SIEM Collector client configuration (yes this is case sensitive, no I don't know why).
Next common issue is using a delimiter - you don't need one, don't use one.
Other than that you'd need to read the SIEM Collector logs in diagnostic mode and identify the error.
It is possible to tail the DNS logs using SIEM Collector 11, however the configuration errors can be tricky to identify.
Check the events time... Maybe the events are there and you don't see them.