Collecting DNS Analytic Logs by using XPath

To collect DNS Analytic logs by using WinCollect, you must first configure Windows to collect analytic logs and then add an XPath to the WinCollect Agent log source to collect the logs and send them to QRadar®.

1. To open the Event Viewer, type eventvwr.msc at an elevated command prompt, and press Enter.
2. Go to Applications and Services Logs\Microsoft\Windows\DNS-Server.
3. Right-click DNS-Server, and then click View > Show Analytic and Debug Logs.
4. Right-click the Analytical log, and then click Properties.
5. In the When maximum event log size is reached section, choose Do not overwrite events (Clear logs manually), select Enable logging, and then click OK on the resulting dialog box.
   Important: If you do not select this option, the WinCollect Agent can't collect the Analytical log, because the logs are stored in etl format. For more information, see https://support.microsoft.com/en-ca/help/2488055/error-when-enabling-analytic-or-debug-event-log.
6. Click OK to enable the DNS Server Analytic event log.
   Attention: You must manually clear the logs and restart the agent when the event log is full.
7. In the log source, add the following XPath to the WinCollect Agent:

   <QueryList>
     <Query Id="0" Path="Microsoft-Windows-DNSServer/Analytical">
       <Select Path="Microsoft-Windows-DNSServer/Analytical">*</Select>
     </Query>
   </QueryList>​