This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Does someone know if it's possible to ingest Windows DNS logs without using NXLog paid version?

Posted on 08-14-2023 02:52 AM
Roberto_Del
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Does someone know if it's possible to ingest Windows DNS logs without using NXLog paid version? Even with other tools like filebeat, does the default parser work?

0 10 806
0 Likes
10 REPLIES 10

Posted on --/--/---- --:-- AM
Drew_Pilarski
New Member
Reply posted on --/--/---- --:-- AM

dont know but i also would really like to get a testimonay from another customer using something besides paid nxlog or cribl

Posted on --/--/---- --:-- AM
Roberto_Del
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

@Drew_Pilarski after some digging, it seems like only NXLog Enterprise can take the logs from the event viewer. Even Beats can't https://github.com/elastic/beats/issues/2073

0 Likes

Posted on --/--/---- --:-- AM
cmmartin_google
Staff
Reply posted on --/--/---- --:-- AM

You can use the Windows DNS log file, but there can be challenges with it, see - https://nxlog.co/news-and-blog/posts/disappearing-dns-debug-log

0 Likes

Posted on --/--/---- --:-- AM
cmmartin_google
Staff
Reply posted on --/--/---- --:-- AM

Otherwise, for high volume then NX Log Enterprise has ETW support

0 Likes

Posted on --/--/---- --:-- AM
cmmartin_google
Staff
Reply posted on --/--/---- --:-- AM

But an alternative, if the DNS servers are VMs, is use a span / packet mirror to a Chronicle Forwarder listening for DNS

0 Likes

Posted on --/--/---- --:-- AM
cmmartin_google
Staff
Reply posted on --/--/---- --:-- AM

WinPacketBeat can be installed on the VMs and works to capture DNS via libpcap (if performance isn't an issue)

0 Likes

Posted on --/--/---- --:-- AM
Roberto_Del
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Thank you for the information!

0 Likes

Posted on --/--/---- --:-- AM
pigram86
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

What about using MS sysmon and capturing DNS with event ID 22 and send to a windows event collector (wec)?

 

0 Likes

Posted on --/--/---- --:-- AM
Roberto_Del
Bronze 1
Bronze 1
In response to pigram86
Reply posted on --/--/---- --:-- AM

Have you tried it?

0 Likes

Posted on --/--/---- --:-- AM
pigram86
Bronze 4
Bronze 4
In response to Roberto_Del
Reply posted on --/--/---- --:-- AM

I have Ms SYSMON running on a majority of my clients and grabbing it all with WEC, but mine is gong to LogRhythm and not Chronicle SIEM. But in theory it should work as in previous position I did the same with nxlog grabbing sysmon to an ELK stack. 

https://docs.nxlog.co/userguide/integrate/sysmon.html

Now for simplicity, you can just use swiftonsecurity sysmon config. But if you want granular control, I recommend Olaf Hartong's. 

https://github.com/SwiftOnSecurity/sysmon-config

https://github.com/olafhartong/sysmon-modular

Again, I don't know your environment so YMMV, 



 

0 Likes
Top Solution Authors
View all