Azure Sentinel - DNS Data Connector - Not showing data for on-prem DNS Server

%3CLINGO-SUB%20id%3D%22lingo-sub-1499777%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20-%20DNS%20Data%20Connector%20-%20Not%20showing%20data%20for%20on-prem%20DNS%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1499777%22%20slang%3D%22en-US%22%3E%3CP%3EWhile%20trying%20to%20integrate%20DNS%20into%20Azure%20Sentinel%2C%20I%20am%20not%20seeing%20any%20logs%20come%20in%20from%20the%20on-prem%20server.%20The%20server%20is%20a%20Windows%20Server%202012%20R2%20with%20DNS%20logging%20enabled.%20The%20connector%20shows%20as%20connected%2C%20and%20is%20green%20in%20Azure%20Sentinel%2C%20but%20no%20logs%20are%20coming%20through.%20I%20also%20tried%20connecting%20with%20a%20DNS%20server%20in%20Azure%2C%20and%20I%20was%20able%20to%20see%20logs%20from%20the%20Azure%20server%20but%20not%20the%20on-prem%20server.%20It%20seems%20there%20is%20an%20issue%20with%20DNS%20logging%20from%20the%20on-prem%20server.%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20anyone%20else%20having%20this%20issue%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1499777%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%20DNS%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1500154%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20-%20DNS%20Data%20Connector%20-%20Not%20showing%20data%20for%20on-prem%20DNS%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1500154%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F714692%22%20target%3D%22_blank%22%3E%40akhalili%3C%2FA%3E%26nbsp%3BAny%20chance%20you%20have%20a%20firewall%20blocking%20traffic%3F%26nbsp%3B%20Are%20you%20getting%20any%20logs%20from%20on-prem%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1502971%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20-%20DNS%20Data%20Connector%20-%20Not%20showing%20data%20for%20on-prem%20DNS%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1502971%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThere%20is%20no%20firewall%20rule%20that%20would%20block%20this%20and%20I%20still%20don't%20see%20any%20logs%20coming%20in%20from%20on-prem.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

While trying to integrate DNS into Azure Sentinel, I am not seeing any logs come in from the on-prem server. The server is a Windows Server 2012 R2 with DNS logging enabled. The connector shows as connected, and is green in Azure Sentinel, but no logs are coming through. I also tried connecting with a DNS server in Azure, and I was able to see logs from the Azure server but not the on-prem server. It seems there is an issue with DNS logging from the on-prem server. 

Is anyone else having this issue?

 

4 Replies

@akhalili Any chance you have a firewall blocking traffic?  Are you getting any logs from on-prem?

@Gary Bushey 


There is no firewall rule that would block this and I still don't see any logs coming in from on-prem.

@akhalili You can also trying to regenerate either the primary or second key and modify the configuration to use the new key just to make sure the key entered is correct and working.

@akhalili: I think this should be handled as a support ticket. That said, trying to troubleshoot on a furum: do you get heartbeat from the agent on the on-prem DC?