Appendix G - How to configure DNS Logs collection

Owned by Andrew Madge
Last updated: Oct 06, 2020 by Svetlana Sheptiy
3 min read

Configuring Microsoft 2003 DNS Debug Logging

1. Click Start > Programs > Administrative Tools > DNS.

2. Now that you have the DNS management console open, right-click on your DNS server and select Properties.

 

3. Now that you have the properties open for your DNS server select Debug Logging.

 

4. Here we will enable debug logging for DNS packets by selecting Log packets for debugging and selecting the following fields.

  • Packet direction: Outgoing, Incoming
  • Transport protocol: UDP, TCP
  • Packet contents: Queries/Transfers, Updates
  • Packet type: Request, Response

 

5. While still on the Debug Logging tab you will need to define your Log file. The default directory for this log file is C:\WINDOWS\system32\dns\dns.log

Your log file path may be different due to diskspace, etc. If this directory is different than the default directory, please make note as this will be needed later when configuring Windows Agent.

6. Select Apply and OK to save your changes and proceed to Configuring Windows Agent section below.

Configuring Microsoft 2008/2012 DNS Debug Logging 

1. Click Start > Programs > Administrative Tools > DNS.

2. Now that you have the DNS management console open, right-click on your DNS server and select Properties.

 

3. Now that you have the properties open for your DNS server select Debug Logging.

4. Here we will enable debug logging for DNS packets by selecting Log packets for debugging and selecting the following fields.

  • Packet direction: Outgoing, Incoming
  • Transport protocol: UDP, TCP
  • Packet contents: Queries/Transfers, Updates
  • Packet type: Request, Response

 

5. While still on the Debug Logging tab you will need to define your Log file. The default directory for this log file is C:\WINDOWS\system32\dns\dns.log.
Your log file patch may be different due to diskspace,etc. If this directory is different than the default directory, please make note as this will be needed later when configuring Windows Agent. 

6. Select Apply and OK to save your changes and proceed to Configuring Windows Agent section below.

Configuring Windows Agent

  1. Navigate to the Enterprise Agent for Windows web interface available on http://<ip-address>:6161
  2. From the left-hand menu, select Log Configuration

  3. Click the Add button at the bottom of the Log Configuration screen.
    1. Select the Log Type : select Microsoft DNS server logs from the drop down list.
    2. In Log File or Directory, enter the directory where the DHCP logs are stored. If you are unsure of your log path, see section 5 above for assistance in determining the log directory.
    3. In Log Name Format enter the log file format if necessary, and select All Matching Files.
    4. Leave all other settings as their default



  4. Once you have filled in the appropriate fields, click the Change Configuration button.
  5. In the left-hand menu, click Apply Configuration & Restart Service.



  6. You will be redirected to Status screen once changes are applied 
  7. Navigate again to Log Configuration page in the Agent web interface. 
  8. Review your log configuration and make sure the value in the Matching File(s) column is  black  and not red . A filename in black  indicates that Snare Agent has found the current file for processing. A filename in red  indicates that Snare Agent cannot find the file for processing. Log Error(s) column will show errors if any. 

Verifying Log Events

Events collected by the Windows Agent will be displayed on the Latest Events page of the Web Interface.
This page displays 20 latest events sent to the configured network destination(s). The status of the current network connection(s) to the CTA/LogCollector is also displayed on this screen. The window will automatically refresh every 30 seconds.

Select Log Audit filter to view events collected from the log files, as configured under Log Configuration.

Review your Log Events once you are sure you have a proper matching file(s) to ensure the contents of the file is being processed and sent to the destination.

 Note: You may see events with/without Bell. The events with  Bell indicates that they are the most recently processed entries.