Forum Discussion
DNS Logs Onboarding
- Dec 07, 2020
CliveWatson This is indeed NEEDED (and very well hidden... I'm not mentioning anything because it is tagged as "preview" solution)... to get logs from client requests to pop into Sentinel.
My original question and now answer is:
On the sub-step mentioned on the guide (DNS Logging and Diagnostics | Microsoft Docs - Step To enable DNS diagnostic logging - Substep 5) to enable the analytics, if you click on "do not overwrite" the file grows forever (very very bad for production)... AND it displays into Event Viewer. If you set a limit though (like 102400 == 100MB) then log is overwritten and it still works FINE for Sentinel BUT... you can't see the logs inside event viewer any more. This is a non-issue on production.
My suggestion for new implementations:
Activate Analytics as on the guide and do an nslookup to check if you get a log inside eventviewer, then follow your link and mess about with the solution config (needed!!!), then do another nslookup and see if the log comes to sentinel. The moment you start seeing logs flowing to Sentinel you can go back into event viewer, disable analytics on DNS for a second and change to overwrite logs as needed (set a 100-1000MB limit depending on the server load) and re-enable (needs a disable else it crashes). You will lose the view from event viewer but your server won't get filled with useless logs.
If you ever re-register/update the agent you need to mess with the DNS solution Config again on the workspace to make it work again btw!
Thank you all for your tips. In the end... a Lab and lots of trial/error did it. This solution certainly needs better documentation. If anyone from MS sees this I'd be glad to help while I have it recent and can reproduce for snapshots etc for your guide.
Best,
Andreas
- CliveWatsonDec 07, 2020MicrosoftHave you tried? https://techcommunity.microsoft.com/t5/azure-sentinel/connecting-dns-analytics-azure-sentinel/m-p/894427
- AndreasSkyDec 07, 2020Copper Contributor
CliveWatson This is indeed NEEDED (and very well hidden... I'm not mentioning anything because it is tagged as "preview" solution)... to get logs from client requests to pop into Sentinel.
My original question and now answer is:
On the sub-step mentioned on the guide (DNS Logging and Diagnostics | Microsoft Docs - Step To enable DNS diagnostic logging - Substep 5) to enable the analytics, if you click on "do not overwrite" the file grows forever (very very bad for production)... AND it displays into Event Viewer. If you set a limit though (like 102400 == 100MB) then log is overwritten and it still works FINE for Sentinel BUT... you can't see the logs inside event viewer any more. This is a non-issue on production.
My suggestion for new implementations:
Activate Analytics as on the guide and do an nslookup to check if you get a log inside eventviewer, then follow your link and mess about with the solution config (needed!!!), then do another nslookup and see if the log comes to sentinel. The moment you start seeing logs flowing to Sentinel you can go back into event viewer, disable analytics on DNS for a second and change to overwrite logs as needed (set a 100-1000MB limit depending on the server load) and re-enable (needs a disable else it crashes). You will lose the view from event viewer but your server won't get filled with useless logs.
If you ever re-register/update the agent you need to mess with the DNS solution Config again on the workspace to make it work again btw!
Thank you all for your tips. In the end... a Lab and lots of trial/error did it. This solution certainly needs better documentation. If anyone from MS sees this I'd be glad to help while I have it recent and can reproduce for snapshots etc for your guide.
Best,
Andreas
- CliveWatsonDec 08, 2020Microsoft
AndreasSky thank you so much for the detailed feedback, a new DNS option is being planned.... I'll say more when I have something I can share. Thanks Clive