This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

DNS LOG

SamueleColnaghi
Beginner
Beginner

‎2015-03-25 06:49 AM

Dear All,

I need to collect log from DNS in SA 10.4.1

 

For do this, I enabled the DNS logging in our Server Windows 2012.

Now I have got a txt file that contains all the dns queries done by clients.

 

My question is.

How can I configure SA to collect log from this file? Is there a parser?

 

Thanks a lot

samuele

4 REPLIES 4

Anonymous
Not applicable

‎2015-03-25 07:44 AM

Hi Samule,

 

 

 

If you are able to get the log files from your DNS server, then you need to configure the SFTP file collection. It will same work like MS DHCP, MS FTP, MS Exchange, etc.

 

Kindly refer to the sftp collection document, to how to configure the file collection.

 

 

 

I hope this will work.

 

 

 

Regards,

 

Deepanshu Sood.

0 Likes

SamueleColnaghi
Beginner
Beginner
In response to Anonymous

‎2015-03-26 04:56 AM

Hi Deepanshu,

thanks a lot for your help.

 

I installed and configured sftp collection, without problem.

 

SA can collect log file but SA can't parse the log.

In device type the log are categorized like unknown

 

In log decoder configuration, I don't find the voice windns in the list of all data that SA can parser.

 

Can you help me?

Thanks a lot

sam

0 Likes

Anonymous
Not applicable
In response to SamueleColnaghi

‎2015-03-26 06:20 AM

Hi Samuele,

 

Great…!!!

It’s so good to hear this from you.

 

As we know, that as of now RSA SA doesn’t support the MS DNS, so that’s the reason SA isn’t able to parse the logs.

 

You can fill a form for Log Parser Request https://emcinformation.com/64308/REG/.ashx , requesting to create a parser for MS DNS. But I don’t know when they will create the same or not and the TAT.

 

In the meantime, you can try to create a parser on the ESI tool for MS DNS, if you have the enough knowledge for the same, and also you can check on community if someone can help you regarding this.

 

Otherwise, you can create the rules, reports and etc. as per the unknown parser is showing the DNS data with respective details.

 

Access this link: (Optional) Create Custom Content Typespec for File Collection - RSA Security Analytics Documentation

 

Regards,

Deepanshu Sood.

0 Likes

SamueleColnaghi
Beginner
Beginner
In response to Anonymous

‎2015-04-01 04:07 AM

Dear Deepanshu,

thanks a lof for your reply.


I really appreciate your help.

 

Have a good day

sam

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.