Integration steps required for Windows DNS

[ismailctest C]

Hi,

We need to collect the logs from the windows DNS server.

Kindly provide the configuration steps in Windows DNS and Wazuh manager side to collect the logs.

Can we get the standard use cases also for windows DNS?

[Juan Antonio Garcia Ruiz]

Good morning Ismailctest, I'm Juan from the Wazuh team, pleased to be able to help you.

There isn't a guide to collect the logs from the Windows DNS server. However, this shouldn't be a complex task for you to configure. You simply have to perform two steps on your AD controller.
First, enable DNS logging and store the logs in a specific location. As a second step, configure the <localfile> capability on your Wazuh agent installed on your AD controller to collect the DNS query logs and forward them to the Wazuh manager.

Follow this localfile - Local configuration (ossec.conf) guide to configure log collection on your Wazuh agent.

I hope this can help you, regards.

[ak]

The windows DNS queries may some special characters with brackets. This needs to be handled as well. Could get this via logstash. Is there is a better way?

[Juan Antonio Garcia Ruiz]

Good morning ak
Yes, through Logstash you can include a filter that analyzes DNS queries to handle special characters.

I hope it's helpful. Best regards!

[ismailctest C]

Hi,

How to enable DNS logging?

[Juan Antonio Garcia Ruiz]

Here is a link that explains how to enable DNS logging:
https://www.ibm.com/docs/en/dsm?topic=debug-enabling-dns-debugging-windows-server