Does someone know if it's possible to ingest Windows DNS logs without using NXLog paid version? Even with other tools like filebeat, does the default parser work?
Does someone know if it's possible to ingest Windows DNS logs without using NXLog paid version?
+4
dont know but i also would really like to get a testimonay from another customer using something besides paid nxlog or cribl
+4@drew.pilarski after some digging, it seems like only NXLog Enterprise can take the logs from the event viewer. Even Beats can't https://github.com/elastic/beats/issues/2073
+11You can use the Windows DNS log file, but there can be challenges with it, see - https://nxlog.co/news-and-blog/posts/disappearing-dns-debug-log
+11Otherwise, for high volume then NX Log Enterprise has ETW support
+11But an alternative, if the DNS servers are VMs, is use a span / packet mirror to a Chronicle Forwarder listening for DNS
+11WinPacketBeat can be installed on the VMs and works to capture DNS via libpcap (if performance isn't an issue)
+7- Bronze 2
What about using MS sysmon and capturing DNS with event ID 22 and send to a windows event collector (wec)?
+4What about using MS sysmon and capturing DNS with event ID 22 and send to a windows event collector (wec)?
Have you tried it?
+7- Bronze 2
Have you tried it?
I have Ms SYSMON running on a majority of my clients and grabbing it all with WEC, but mine is gong to LogRhythm and not Chronicle SIEM. But in theory it should work as in previous position I did the same with nxlog grabbing sysmon to an ELK stack.
https://docs.nxlog.co/userguide/integrate/sysmon.html
Now for simplicity, you can just use swiftonsecurity sysmon config. But if you want granular control, I recommend Olaf Hartong's.
https://github.com/SwiftOnSecurity/sysmon-config
https://github.com/olafhartong/sysmon-modular
Again, I don't know your environment so YMMV,
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.