Windows DNS log monitoring

[Koontz, Scott]

I am attempting to monitor the Windows DNS debug log with the ossec agent in the following configuration:

 

  <localfile>

    <location>%windir%\System32\dns\dns.log</location>

    <log_format>syslog</log_format>

  </localfile>

 

But I receive these errors in the agent log:

2015/02/23 15:36:11 ossec-agent(1103): ERROR: Unable to open file 'C:\Windows\System32\dns\dns.log'.

2015/02/23 15:36:11 ossec-agent(1950): INFO: Analyzing file: 'C:\Windows\System32\dns\dns.log'.

2015/02/23 15:40:33 ossec-agent(1904): INFO: File not available, ignoring it: 'C:\Windows\System32\dns\dns.log'.

 

In case it’s relevant, the DNS log level is set to 0x8000E121 and I’ve also tried 0xE121. 

 

Thanks,

 

Scott

 

[Brent Morris]

That DNS.log file doesn't get populated until you stop the DNS service.

It looks like it's zero bytes until you stop the DNS service, at which point it fills up the file with data for review...

You'd probably be better off grabbing one of the event channels for DNS-Server > Audit.

[Koontz, Scott]

Sorry, that’s not correct, it writes in 8KB chunks unless you add the 0x80000000 switch which forces it to write immediately.     

 

In any event, I tried the Snare Epilog agent and it’s able to forward the events just fine.  I think it’s a bug in the OSSEC agent.

 

Scott

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.