QRadar

Expand all | Collapse all

Windows DNS logs and DNS Analyser

  • 1.  Windows DNS logs and DNS Analyser

    Posted 14 days ago
    Hmmm
    We are interested in ingesting Windows DNS logs into QRadar so that we can see when machines might start trying to connect to C&C servers etc.  The QRadar DNS Analyser app looks good for this.
    Reading the various manuals and posts, what we really need is the input from the Microsoft DNS Analytics logs because these are designed to run all the time with minimal impact on the server, as opposed to the Debug logs which impact performance.  HOWEVER (and here is the rub), to get WinCollect to read the DNS Analytics log, you have to set the log so that it WILL NOT automatically overwrite the logs when they fill up.  When the logs fill up, logging stops, and you have to manually log onto the DNS server and clear down the log, then restart the WinCollect server, to get log data flowing again.  This seems a trifle....inelegant.
    It's not IBM's fault, its the way that Microsoft has coded the DNS Analytic logging, and all the products around seem to have the same issue.
    I understand all the above, but the DNS Analyser app is advertised as the be-all and end-all of good things for DNS reporting, but how can it be if you have to manually log onto every one of your Windows DNS servers multiple times a day to clear down the logs and restart the collector?
    Can I please ask anyone out there who is using the DNS Analyser App with Windows DNS logs what they are doing around this issue, and any hints and tips they may have.
    Thanks

    Ross

    ------------------------------
    Ross Wakelin
    ------------------------------


  • 2.  RE: Windows DNS logs and DNS Analyser

    Posted 13 days ago

    In my deployment we have a maximum size defined for the dns debug log, so it is rotated automatically. This settings is in dns debug logging section

    L:




    ------------------------------
    Laszlo Pal
    ------------------------------



  • 3.  RE: Windows DNS logs and DNS Analyser

    Posted 9 days ago
    The DNS Analyser app requires you deploy a  QRadar QNI Appliance.  If you do not own the QNI Appliance add -on for QRadar the DNS Analyser application will not provide the value it was created for. IT appears you are trying to ingest DNS logs using the app, I suggest you read the documentation and you will clearly see the need for QNI.

    ------------------------------
    Richard Gingras
    QRadar SME
    IBM Security
    Cambridge MA
    ------------------------------



  • 4.  RE: Windows DNS logs and DNS Analyser

    Posted 9 days ago
    ​Interesting.  No-where in the DNS Analyser documentation does it say that QNI is REQUIRED.  It says that if you want to ingest the flows, then QNI is needed, but it also says that it will work just fine without flows, just using events, even though it won't be so efficient.

    ------------------------------
    Ross Wakelin
    ------------------------------



  • 5.  RE: Windows DNS logs and DNS Analyser

    Posted 8 days ago
    As is mentioned in the IBM Knowledge Center, "The DNS Analyzer app ingests domain request data from both QNI flows and server logs". If I 'm not mistaken, there were previously mentions with earlier releases that you should opt to use either logs or flow.
    That said, as Windows handles DNS logging currently, I do not think it is realistically viable for continuous use. Using QNI would enable you to get needed insight.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------