locked
How to integrate Microsoft DNS logs with SIEM? RRS feed

  • Question

  • Hi Team,

    I am an SIEM engineer and want to integrate Microsoft DNS logs with ArcSight ESM for security monitoring. Currently we are using flat file read (DNS logs are dumped in a flat file and we read logs from it using ArcSight connectors). But we are facing many issues and the monitoring isn't continuous.

    I need you help in getting logs from DNS server to SIEM. Is there any other method other than flat file read? Can we write DNS logs in event viewer and read from there? Or any other method you can help me out with?

    Thanks in Advance.

    Regards,

    Mitesh Agrawal

    Tuesday, December 24, 2019 8:44 AM

Answers

All replies

  • Hi, You can use Event Log Forwarding to collect events from servers then send it to your SIEM To analyze:

    https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2


    "Vote or mark as answer if you think useful" "Marquer comme réponse les réponses qui ont résolu votre problème"

    Tuesday, December 24, 2019 9:47 AM
  • Hi F.Abassi,

    Thanks for your time in replying to my query. The link you shared is quite useful. I also wanted to know how to enable DNS logs to be written into the event viewer (by default it isn't written). Also will there be much high utilization if we take logs from event viewer of DNS server? 

    Thanks in Advance.

    Regards,

    Mitesh Agrawal

    Wednesday, December 25, 2019 10:22 AM
  • Hi,

     

    If you want to enable DNS diagnostic logging, you could refer to the following article:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v%3Dws.11)

     

    About the Negligible Performance Impact of Enabling,

     

    "A DNS server running on modern hardware that is receiving 100,000 queries per second (QPS) can experience a performance degradation of 5% when analytic logs are enabled. There is no apparent performance impact for query rates of 50,000 QPS and lower"

     

    For your reference:

    https://blogs.technet.microsoft.com/teamdhcp/2015/11/23/network-forensics-with-windows-dns-analytical-logging/

     

    Best Regards,

    Farena


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 26, 2019 7:04 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful.

     

    If the reply helped you, please remember to mark it as an answer.

     

    If no, please reply and tell us the current situation in order to provide further help.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 31, 2019 6:45 AM
  • Hi Farena,

    Thanks for your help.

    I need your help in understanding one more thing. DNS server is writing logs to a flat file so that from our SIEM, we can read those files and collect logs. But we are observing a strange issue. The Last modified time for the file isn't updating but the contents are written to the file. 

    Since the last modified date isn't updated, our SIEM believes the file isn't changed and doesn't read data. Can you please help on understand how I can resolve this last modified time issue?

    Regards,

    Mitesh Agrawal

    Monday, March 30, 2020 12:16 PM