IBM Support

QRadar WinCollect: Collecting DNS Server Analytic Logs

Education


Abstract

How to collect DNS Analytic logs using WinCollect: Configure Windows to collect analytic logs and add an XPath to the Agent log source to collect the logs.

Content

Collecting DNS Analytic Logs (XPath)

To configure Windows to collect DNS Server analytic logs you must perform the following steps in the Event Viewer:

Note: If the DNS server is running Windows Server 2012 R2, download the hotfix from, Update adds query logging and change auditing to Windows DNS servers

  1. Type eventvwr.msc at an elevated command prompt and press ENTER to open Event Viewer.

  2. In Event Viewer, navigate to Applications and Services Logs\Microsoft\Windows\DNS-Server.

  3. Right-click DNS-Server, point to View, and then click Show Analytic and Debug Logs. The Analytical log will be displayed.

  4. Right-click Analytical and then click Properties.

  5. Under When maximum event log size is reached, choose Do not overwrite events (Clear logs manually), select the Enable logging checkbox, and click OK when you are asked if you want to enable this log. See the following example.

    DNS Logging

    CAUTION:  Step 5 is very important, if you do not configure this the WinCollect agent will not be able to collect the Analytical log.  This is a limitation due to the logs being stored in etl format. You will see this in the debug logs if this step is not performed:
      
    01-15 11:03:05.317 DEBUG Device.WindowsLog.W2K8.localhost.XPath : Error subscribing to <QueryList><Query Id="1" Path="Security"><Select Path="Microsoft-Windows-DNSServer/Analytical">*[System[Provider[@Name='Microsoft-Windows-DNSServer']]] and *[System[TimeCreated[@SystemTime &gt; '2019-01-15T18:03:00.210645675Z']]]</Select></Query></QueryList>  --  Error code 15022: The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.
​

    Microsoft explains this error here:  Error when enabling Analytic or Debug event log

    WARNING:  You will need to manually clear the Analytical log and restart the WinCollect agent when the event log is full. As previously mentioned, this is a limitation due to the logs being stored in etl format.

  6. Click OK again to enable the DNS Server Analytic event log. By default, analytic logs are written to the file:
     %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl.

Add XPath to WinCollect Agent

In the log source add the following XPath:
<QueryList>
  <Query Id="0" Path="Microsoft-Windows-DNSServer/Analytical">
    <Select Path="Microsoft-Windows-DNSServer/Analytical">*</Select>
  </Query>
</QueryList>​

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Wincollect","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
17 February 2021

UID

ibm10795576

Page Feedback