DNS Server log collect in wazuh

1,084 views
Skip to first unread message

ismailctest C

unread,
May 28, 2024, 11:01:43 AM5/28/24
to Wazuh | Mailing List
Hi,

How to collect logs from DNS server and which location needs to be configured in ossec.conf to collect the logs?

Please share DNS, DHCP, and AD location as per the below format.

<localfile>
  <location>Microsoft-Windows-PrintService/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

Dario Menten

unread,
May 28, 2024, 3:17:25 PM5/28/24
to Wazuh | Mailing List

Hello Ismail,

You should be able to do it even from the ossec.conf of the agent or through Centralized Configuration, you can specify which Event Logs aside the regular ones you need to monitor:

<localfile> <location>Directory Service</location> <log_format>eventchannel</log_format> </localfile> <localfile> <location>Microsoft-Windows-DNSServer/Analytical</location> <log_format>eventchannel</log_format> </localfile> <localfile> <location>Microsoft-Windows-DHCP Server Events/Operational</location> <log_format>eventchannel</log_format> </localfile>

After adding this in Centralized Configuration, the agent will be restarted automatically, if you do this from the config file of the agent you need to restart it manually to apply changes.

You will start seeing these lines in the agent’s log:

2021/12/23 04:09:52 wazuh-agent: INFO: (1951): Analyzing event log: 'Directory Service'. 2021/12/23 04:09:52 wazuh-agent: INFO: (1951): Analyzing event log: 'Microsoft-Windows-DNSServer/Analytical'. 2021/12/23 04:09:52 wazuh-agent: INFO: (1951): Analyzing event log: 'Microsoft-Windows-DHCP Server Events/Operational'.

This means the Agent is reading those logs and sending the changes to the Wazuh Manager.

In general, we have rules for the most critical events, but not all of them, so when you add any event log for monitoring, maybe you have to write rules in order to generate the regarding alerts.

For these Event Logs, I wrote these generalistic rules, they will catch ALL the logs on those Event Logs (Information, Warning, Error, Critical), so my recommendation is to write some specific rules to filter the alerts you want to receive:

<group name="win-custom,"> <rule id="111222" level="3"> <if_group>windows</if_group> <field name="win.system.channel">^Directory Service$</field> <description>Directory Service Logs</description> <options>no_full_log</options> <group>directory_service,</group> </rule> <rule id="111223" level="3"> <if_group>windows</if_group> <field name="win.system.channel">^Microsoft-Windows-DNSServer/Analytical$</field> <description>DNS Server Event Logs</description> <options>no_full_log</options> <group>dns_server,</group> </rule> <rule id="111224" level="3"> <if_group>windows</if_group> <field name="win.system.channel">^Microsoft-Windows-DHCP Server Events/Operational$</field> <description>DHCP Server Event Logs</description> <options>no_full_log</options> <group>dhcp_server,</group> </rule> </group>

If you want to go the filtering way, it is easy, you have to silence these rules and use them as parent rules for your custom rules.

After applying these rules and restarting the Wazuh Manager service, you should see some alerts in your Kibana UI.

I hope this is useful for you.

Reply all
Reply to author
Forward
0 new messages