This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Netwitness DNS-Server-logs log collection using WinRM

Article Number

000003177

Applies To

NetWItness Product Set: NetWitness Platform
NetWItness Product/Service Type: Log Collector, WinRM
NetWItness  Version/Condition: 11.x, 12.x
Platform: CentOS 7 / Alma

Issue

As per the supported event source guide, DNS server logs are meant to be collected through the File and Syslog integration methods only. However, you might have a requirement to collect DNS server logs through WinRM. DNS logs are generally part of a domain controller’s application channel.
See the "Microsoft Windows DNS Event Source Configuration Guide" : https://community.netwitness.com/t5/netwitness-platform-integrations/microsoft-windows-dns-event-source-configuration-guide/ta-p/565976

Resolution

1- You would require assistance from their Windows administrator in order to create a custom channel which includes the required DNS logs. 
2- Create a user account to be used with WinRM and add that user to the “Event Log Readers” group.
3- Execute the below command on the Windows server and you will see the below output: 

C:\>wevtutil gl “DNS Server”
Image descriptionImage description

4- Copy the SDDL String from the output produced by the Windows server. 
     Example:  

O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)
Note: The SDDL line is unique per event type and could be different on your system. Do not use the example string in the previous step.

5- Execute the command below by pasting the copied SDDL string from the above step, and append with the string, "(A;;0x1;;;S-1-5-32-573) "

Example: 

C:\>wevtutil sl “DNS Server” /ca:existing-SDDL-string(A;;0x1;;;S-1-5-32-573)

The above command will set the log configuration of the various event log channels.
(A;;0x1;;😉 is the SID of the “Event Log Readers” group. “A” is Allow. “0x1” provides Read Access to the channel.
 

This will help you in collecting DNS Server logs in NetWitness through the WinRM method.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2024-08-29 04:14 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.