IBM Support

QRadar: How do I use WinCollect to import DNS Debug logs?

Troubleshooting


Problem

How do I use WinCollect to import DNS Debug logs?

Resolving The Problem

Before you begin: In QRadar 7.3.0 and above, this is installed by default. WinCollect 7.2.5 Agent or above must be installed on the Console as a prerequisite to installing this DSM. See this link on how to install the WinCollect Agent on the Console.
Installing and upgrading the WinCollect application on QRadar appliances

In order to parse MS DNS debug logs you need to install DSM-MicrosoftDNS-7.2-20151021075942.noarch.rpm or above on the QRadar Console.

  1. Using this link, log in to fix central and download the Microsoft DNS Debug DSM.

    7.2.0-QRADAR-DSM-MicrosoftDNS-7.2-20151021075942.noarch.rpm
  2. Using WinSCP or equivalent SCP tool, move the DSM to the console
  3. To install the DSM, use this command
    yum install -y 7.2.0-QRADAR-DSM-MicrosoftDNS-7.2-20151021075942.noarch.rpm
  4. Log in to the QRadar User Interface.
  5. Click Admin tab > Deploy Changes.
  6. Click Log Sources icon > Add.
  7. From the drop down menu select Log Source type Microsoft DNS Debug and Protocol WinCollect Microsoft DNS Debug.





Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"WinCollect","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.2;7.3","Edition":""}]

Document Information

Modified date:
10 May 2019

UID

swg22002217