SOLVED

Collecting DNS logs from multiple DNS sources and forwarding to Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2992233%22%20slang%3D%22en-US%22%3ECollecting%20DNS%20logs%20from%20multiple%20DNS%20sources%20and%20forwarding%20to%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2992233%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20folks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20scenario%20where%20one%20of%20the%20client%20has%20setup%20a%20windows%20based%20Log%20Collector%20to%20collect%20DNS%20logs%20from%20multiple%20DNS%20servers%20(%20I%20am%20assuming%20they%20are%20using%20wincollect).%20Client%20doesnt%20want%20to%20install%20the%20MMA%20agent%20on%20all%20DNS%20servers%20rather%20wants%20to%20have%20the%20agent%20installed%20on%20their%20Log%20Collector%20(Windows%20Machines%20used%20for%20collecting%20logs)%20and%20use%20it%20to%20forward%20the%20logs%20to%20Azure%20Sentinel.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22FahadAhmed_0-1637574686445.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F328531i7046D01A9743DEA0%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22FahadAhmed_0-1637574686445.png%22%20alt%3D%22FahadAhmed_0-1637574686445.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20made%20up%20simple%20architecture%20diagram%20to%20explain%20the%20same.%20The%20following%20are%20my%20questions%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Can%20MMA%20agent%20forward%20the%20DNS%20event%20logs%20to%20the%20Azure%20Sentinel%20(%20I%20am%20assuming%20it%20will%20take%20all%20the%20logs%20in%20the%20windows%20event%20viewer%20and%20send%20them%20to%20Azure%20Sentinel)%3C%2FP%3E%3CP%3E2.%20There%20are%20two%20possibilities%20interms%20of%20log%20collection%2C%20the%20collected%20DNS%20logs%20from%20multiple%20servers%20will%20either%20be%20stored%20in%20local%20files%20or%20in%20event%20viewer.%20Incase%20they%20are%20in%20event%20viewer%2C%20I%20think%20MMA%20agent%20will%20automatically%20pick%20them%20up%20and%20send%20to%20sentinel%3F%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20Incase%2C%20they%20are%20stored%20in%20file%20locally%20on%20the%20server%2C%20which%20agent%20will%20be%20required%3F%20I%20dont%20see%20any%20option%20in%20sentinel%20to%20pick%20logs%20from%20custom%20locations%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20any%20one%20help%20identifying%20which%20agent%20can%20actually%20pick%20up%20the%20logs%20collected%20and%20forward%20to%20sentinel.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENeed%20some%20quick%20advise%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EFahad.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2992427%22%20slang%3D%22en-US%22%3ERe%3A%20Collecting%20DNS%20logs%20from%20multiple%20DNS%20sources%20and%20forwarding%20to%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2992427%22%20slang%3D%22en-US%22%3EWindows%20Event%20Forwarding%20(WEF)%20is%20supported%20by%20the%20AMA%20not%20MMA%2C%20please%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fwhats-new%23windows-forwarded-events-connector-now-available-public-preview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fwhats-new%23windows-forwarded-events-connector-now-available-public-preview%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2992550%22%20slang%3D%22en-US%22%3ERe%3A%20Collecting%20DNS%20logs%20from%20multiple%20DNS%20sources%20and%20forwarding%20to%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2992550%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%20Clive%2C%20Thank%20you%20for%20the%20prompt%20response.%20I%20have%20gone%20through%20the%20link%20and%20got%20an%20idea%20that%20we%20need%20to%20deploy%20AMA%20agent%20and%20have%20Azure%20Arc%20deployed%20for%20on%20premise%20machines.%3CBR%20%2F%3EHowever%20I%20cannot%20find%20a%20quick%20like%20to%20download%20and%20deploy%20both%20AMA%20agent%20and%20Azure%20Arc%20for%20on-premise.%26nbsp%3B%20Can%20you%20please%20share%20the%20link%20(much%20appreciated).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EQuick%20Update%201%3A%3C%2FSTRONG%3E%20I%20got%20how%20to%20deploy%20Azure%20Arc%20from%20the%20link%20below%2C%20now%20trying%20to%20explore%20how%20to%20get%20AMA%20installed%20on%20on-premise%20servers.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DQEU0h8BR7Yg%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DQEU0h8BR7Yg%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EQuick%20Update%202%3A%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EFrom%20the%20link%20below%2C%20I%20am%20getting%20an%20understanding%20that%20once%20you%20install%20Azure%20Arc%20on%20on-premise%20server%2C%20you%20will%20be%20able%20to%20manage%20and%20see%20it%20through%20Azure%20portal%20and%20then%20we%20can%20use%20different%20deployment%20methods%20listed%20in%20the%20below%20link%20to%20install%20AMA%20on%20on-premise%20machines.%20(Please%20correct%20me%20if%20i%20am%20wrong)%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fazure-monitor-agent-install%3Ftabs%3DARMAgentPowerShell%252CPowerShellWindows%252CPowerShellWindowsArc%252CCLIWindows%252CCLIWindowsArc%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fazure-monitor-agent-install%3Ftabs%3DARMAgentPowerShell%252CPowerShellWindows%252CPowerShellWindowsArc%252CCLIWindows%252CCLIWindowsArc%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EAlso%20please%20clarify%20if%20Azure%20Connected%20Machine%20agent%20%3D%20Azure%20Arc%20agent%20(Sorry%20I%20am%20new%20to%20Microsoft%20Technologies)%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3CBR%20%2F%3EFahad.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi folks,

 

We have a scenario where one of the client has setup a windows based Log Collector to collect DNS logs from multiple DNS servers ( I am assuming they are using wincollect). Client doesnt want to install the MMA agent on all DNS servers rather wants to have the agent installed on their Log Collector (Windows Machines used for collecting logs) and use it to forward the logs to Azure Sentinel.

 

FahadAhmed_0-1637574686445.png

 

I have made up simple architecture diagram to explain the same. The following are my questions:

 

1. Can MMA agent forward the DNS event logs to the Azure Sentinel ( I am assuming it will take all the logs in the windows event viewer and send them to Azure Sentinel)

2. There are two possibilities interms of log collection, the collected DNS logs from multiple servers will either be stored in local files or in event viewer. Incase they are in event viewer, I think MMA agent will automatically pick them up and send to sentinel? 

3. Incase, they are stored in file locally on the server, which agent will be required? I dont see any option in sentinel to pick logs from custom locations?

 

Can any one help identifying which agent can actually pick up the logs collected and forward to sentinel.

 

Need some quick advise here.

 

Thanks

Fahad.

 

 

3 Replies
best response confirmed by FahadAhmed (Contributor)

hi Clive, Thank you for the prompt response. I have gone through the link and got an idea that we need to deploy AMA agent and have Azure Arc deployed for on premise machines.
However I cannot find a quick like to download and deploy both AMA agent and Azure Arc for on-premise.  Can you please share the link (much appreciated).

 

Quick Update 1: I got how to deploy Azure Arc from the link below, now trying to explore how to get AMA installed on on-premise servers.

https://www.youtube.com/watch?v=QEU0h8BR7Yg

 

Quick Update 2: 

From the link below, I am getting an understanding that once you install Azure Arc on on-premise server, you will be able to manage and see it through Azure portal and then we can use different deployment methods listed in the below link to install AMA on on-premise machines. (Please correct me if i am wrong)

https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgen...


Also please clarify if Azure Connected Machine agent = Azure Arc agent (Sorry I am new to Microsoft Technologies)

Thanks
Fahad.

Hi Mark, the client postponed this integration part. However, your proposed solution seems the best fit. Thanks anyways for your prompt input and support.