Dec 04 2020 02:27 AM
Hello Everyone!
Me and my team are starting to onboard On-Prem stuff and we thought DNS would be an easy one 🙂
From what I gather from guide, Windows Server 2016 has already some analytics enabled but the guide says to turn them on and actually set the logfile to never overwrite (DNS Logging and Diagnostics | Microsoft Docs - Step To enable DNS diagnostic logging - Substep 5). Isn't this an issue for Production Domain Controller Servers?
Furthermore, are the steps under "Using ETW consumers" needed to collect logs with the Sentinel/Log Analytics Agent? The "DNS Analytics" solution too?
Thanking you all in advance for the assist!
Andreas
Dec 04 2020 05:28 AM
@AndreasSky I would ignore that documentation in favor of using the "DNS (Preview)" data connector. It seems to be fairly simple. You install the Microsoft Monitor Agent on your DNS server(s) and then install the DNS solution.
Dec 04 2020 09:32 AM
@Gary Bushey Hmmm I see...
I have done so but I didn't see DNS Lookups come through until I also enabled those steps... but I also had to go to the DNS solution and play with settings a bit to have them load up and that happened after I already followed the previous steps...
Do you think these steps are not necessary any more and just installing MMA + playing with DNS Analytics Solution would have done it?
Dec 04 2020 11:01 AM
@AndreasSky I would have thought that any additional steps needed would have been listed but I have not actually tried this Data Connector myself.
Dec 05 2020 02:24 AM
@Gary Bushey That's ok. I appreciate the answer in any case! I will keep experimenting on Lab Servers but I am unsure of using in production as-is.
Anyone else that maybe has played/uses it regularly? Does the log file grow forever? How is this handled on your servers?
Dec 07 2020 08:32 AM
Dec 07 2020 09:18 AM - edited Dec 07 2020 09:23 AM
Solution@CliveWatson This is indeed NEEDED (and very well hidden... I'm not mentioning anything because it is tagged as "preview" solution)... to get logs from client requests to pop into Sentinel.
My original question and now answer is:
On the sub-step mentioned on the guide (DNS Logging and Diagnostics | Microsoft Docs - Step To enable DNS diagnostic logging - Substep 5) to enable the analytics, if you click on "do not overwrite" the file grows forever (very very bad for production)... AND it displays into Event Viewer. If you set a limit though (like 102400 == 100MB) then log is overwritten and it still works FINE for Sentinel BUT... you can't see the logs inside event viewer any more. This is a non-issue on production.
My suggestion for new implementations:
Activate Analytics as on the guide and do an nslookup to check if you get a log inside eventviewer, then follow your link and mess about with the solution config (needed!!!), then do another nslookup and see if the log comes to sentinel. The moment you start seeing logs flowing to Sentinel you can go back into event viewer, disable analytics on DNS for a second and change to overwrite logs as needed (set a 100-1000MB limit depending on the server load) and re-enable (needs a disable else it crashes). You will lose the view from event viewer but your server won't get filled with useless logs.
If you ever re-register/update the agent you need to mess with the DNS solution Config again on the workspace to make it work again btw!
Thank you all for your tips. In the end... a Lab and lots of trial/error did it. This solution certainly needs better documentation. If anyone from MS sees this I'd be glad to help while I have it recent and can reproduce for snapshots etc for your guide.
Best,
Andreas
Dec 08 2020 02:30 AM
@AndreasSky thank you so much for the detailed feedback, a new DNS option is being planned.... I'll say more when I have something I can share. Thanks Clive
Dec 08 2020 01:05 PM
@CliveWatson Thank you for those news. Can't say I was excited to see the solution as is. May I please bother you on another related question? Does the DNS solution (that has a "malicious" field) evaluate the ...maliciousness of a DNS lookup as it is now or is it just future planning? I haven't been able to trigger a reaction from it.
Dec 07 2020 09:18 AM - edited Dec 07 2020 09:23 AM
Solution@CliveWatson This is indeed NEEDED (and very well hidden... I'm not mentioning anything because it is tagged as "preview" solution)... to get logs from client requests to pop into Sentinel.
My original question and now answer is:
On the sub-step mentioned on the guide (DNS Logging and Diagnostics | Microsoft Docs - Step To enable DNS diagnostic logging - Substep 5) to enable the analytics, if you click on "do not overwrite" the file grows forever (very very bad for production)... AND it displays into Event Viewer. If you set a limit though (like 102400 == 100MB) then log is overwritten and it still works FINE for Sentinel BUT... you can't see the logs inside event viewer any more. This is a non-issue on production.
My suggestion for new implementations:
Activate Analytics as on the guide and do an nslookup to check if you get a log inside eventviewer, then follow your link and mess about with the solution config (needed!!!), then do another nslookup and see if the log comes to sentinel. The moment you start seeing logs flowing to Sentinel you can go back into event viewer, disable analytics on DNS for a second and change to overwrite logs as needed (set a 100-1000MB limit depending on the server load) and re-enable (needs a disable else it crashes). You will lose the view from event viewer but your server won't get filled with useless logs.
If you ever re-register/update the agent you need to mess with the DNS solution Config again on the workspace to make it work again btw!
Thank you all for your tips. In the end... a Lab and lots of trial/error did it. This solution certainly needs better documentation. If anyone from MS sees this I'd be glad to help while I have it recent and can reproduce for snapshots etc for your guide.
Best,
Andreas