Does someone know if it's possible to ingest Windows DNS logs without using NXLog paid version? Even with other tools like filebeat, does the default parser work?
Page 1 / 1
dont know but i also would really like to get a testimonay from another customer using something besides paid nxlog or cribl
@drew.pilarski
after some digging, it seems like only NXLog Enterprise can take the logs from the event viewer. Even Beats can't
https://github.com/elastic/beats/issues/2073
You can use the Windows DNS log file, but there can be challenges with it, see -
https://nxlog.co/news-and-blog/posts/disappearing-dns-debug-log
Otherwise, for high volume then NX Log Enterprise has ETW support
But an alternative, if the DNS servers are VMs, is use a span / packet mirror to a Chronicle Forwarder listening for DNS
WinPacketBeat can be installed on the VMs and works to capture DNS via libpcap (if performance isn't an issue)
Thank you for the information!
What about using MS sysmon and capturing DNS with event ID 22 and send to a windows event collector (wec)?
What about using MS sysmon and capturing DNS with event ID 22 and send to a windows event collector (wec)?
Have you tried it?
Have you tried it?
I have Ms SYSMON running on a majority of my clients and grabbing it all with WEC, but mine is gong to LogRhythm and not Chronicle SIEM. But in theory it should work as in previous position I did the same with nxlog grabbing sysmon to an ELK stack.
https://docs.nxlog.co/userguide/integrate/sysmon.html
Now for simplicity, you can just use swiftonsecurity sysmon config. But if you want granular control, I recommend Olaf Hartong's.
https://github.com/SwiftOnSecurity/sysmon-config
https://github.com/olafhartong/sysmon-modular
Again, I don't know your environment so YMMV,
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.