Hmmm
We are interested in ingesting Windows DNS logs into QRadar so that we can see when machines might start trying to connect to C&C servers etc. The QRadar DNS Analyser app looks good for this.
Reading the various manuals and posts, what we really need is the input from the Microsoft DNS Analytics logs because these are designed to run all the time with minimal impact on the server, as opposed to the Debug logs which impact performance. HOWEVER (and here is the rub), to get WinCollect to read the DNS Analytics log, you have to set the log so that it WILL NOT automatically overwrite the logs when they fill up. When the logs fill up, logging stops, and you have to manually log onto the DNS server and clear down the log, then restart the WinCollect server, to get log data flowing again. This seems a trifle....inelegant.
It's not IBM's fault, its the way that Microsoft has coded the DNS Analytic logging, and all the products around seem to have the same issue.
I understand all the above, but the DNS Analyser app is advertised as the be-all and end-all of good things for DNS reporting, but how can it be if you have to manually log onto every one of your Windows DNS servers multiple times a day to clear down the logs and restart the collector?
Can I please ask anyone out there who is using the DNS Analyser App with Windows DNS logs what they are doing around this issue, and any hints and tips they may have.
Thanks
Ross
------------------------------
Ross Wakelin
------------------------------