SMB protocol is one of the source addition options of the Logsign Unified SecOps Platform. If your product, device, or software you are using logs on the file, Logsign Unified SecOps Platform will read that file and provide you with relevant results.
If you want collect DNS Logs from Windows Server, firstly you should activate DNS Logging. You can activate logging with follow these steps;
1. Open Server Manager on Windows Server.
2. Click DNS from left on the screen, then right click DNS Server and enter DNS Manager.
3. Right click DNS Server and enter Properties.
4. Click Debug Logging tab, then activate Log packets for debugging, select which logs you want collect and determine log file path and name(Default path is C:\Windows\System32\dns\dns.log). If everything is ok, click apply and save changes.
After all these steps DNS Server configuration will be completed.
Now you can add as a source your DNS Server on Logsign Unified SecOps Platform ;
1. Go to Settings → Data Collection then click on + Device
2. Select SMB
3. You can enter Administrator credentials or the second way is creating a local user. You can go to the dns file path and share it with the local user that you created. Also, you should add this user under the security tab on the same screen.
The remote host includes the following information:
- Host: The IP address for the remote DNS server.
- Username: "Administrator."
- Password: The password for the administrator account.
- Workgroup: Network Workgroup name
4. Under the "Directory Tree" make sure to select the C:\Windows\System32\dns\ folder that contains the log file for the DNS server.
5. Under that make sure to enter the following information for a proper log collection.
Vendor: Specify the brand information of the system you have used in this section. Choose Microsoft because you are configuring on Windows operating system.
Product: Specify product information in this section. DNS Server option is selected because you are setting DNS Server on Windows.
Then click the Save Pattern button to save the settings.
Please note that: You can add multiple pattern information.
Read Static Files: All files in the shared folder will be read when you tick the box.
Period: Determine how long the logs will be taken from the source. You need to specify in minutes, and the default value is thirty (30) minutes.
EPS: The expansion of the EPS variant used in the shared network world is known as Event Per Second. You can refer to the amount of data on your network that comes from the products such as Intrusion Detection System, Hardware or Software Firewall, Server, Switch and Router to the Logsign Unified SecOps Platform. In the Logsign Unified SecOps Platform product, the EPS value is set to default one thousand "1000" in the specified configurations, which is normal.
Please note that: If you think that the EPS value on your system is high, please contact the Logsign Customer Support Unit.
Data Policy: You can filter in or out of incoming data. In the Data Policy section, you can specify the kind of logs (word, event movement type, etc.) that you want to receive or not from the source. The default setting here is the Default Policy, which has the default rule is "collect all logs."
Offset: To explain it in terms of definition, let's say “time difference.” If the "system" time you want to log in is forward or backward from the real-time difference, you can edit it accordingly. The symbol "+" moves forward, and "-" moves backward. Time information is specified in minutes.
Check Health: Check this box to be informed about the service and operability of the Logsign Unified SecOps Platform. The Health Check Period tab will come up when you tick the box. This part is the time interval information to be checked.
Description: You must enter a descriptive name according to the configuration that you made (For ex. DNS 1). It can provide convenience for people who analyze logs. Think of the Description field as a resource-specific area.
Tag: Slightly different from the Description section, it can be used for a broader purpose. For example, you can query by tag, and make tag-based definitions while creating a report if you use multiple Exchange and define each tag as DNS1 or DNS2. If you want to query about an event, you will get a shorter result when you search according to DNS1 name.
If everything is ok, click save button and Logsign Unified SecOps Platform will collect DNS logs from your DNS Server.