Scribd
Upload
129 views3 pages

INSPIRA - Configuring Microsoft DNS Debug To QRadar SIEM - v1.0

Uploaded by

Alex Samuel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
129 views3 pages

INSPIRA - Configuring Microsoft DNS Debug To QRadar SIEM - v1.0

Uploaded by

Alex Samuel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Document Name

INSPIRA-Configuring Microsoft DNS Debug to


QRadar SIEM
Document Version 1.0

Author (Name) Suppala Sathwik

Proposed by Neel Shah

Approver 1 Neel Shah – Head – Implementation

Approver 2 Vandit Pandya – Head - MSSP

Date of Release 15 May 2024

Review Period Annually

Revision Effective Date Reason for Change

V1.0 15.05.2024 Initial document


INSPIRA-Configuring Microsoft DNS Debug to QRadar SIEM

The IBM QRadar DSM for Microsoft DNS Debug collects events from a Microsoft Windows system.

Note:

The following table describes the specifications for the Microsoft DNS Debug DSM:

To integrate Microsoft DNS Debug with QRadar, complete the following steps:
1. If automatic updates are not enabled, download and install the most recent version of the
following files from the IBM Support Website in the order that they are listed on your QRadar
Console:
• .sfs file for WinCollect
• DSMCommon RPM
• Microsoft DNS Debug RPM
2. Configure WinCollect to forward Microsoft DNS Debug events to QRadar. For more
information, go to Log Sources for WinCollect agents in the IBM QRadar WinCollect User
Guide. (https://www.ibm.com/
docs/en/SS42VS_SHR/com.ibm.wincollect.doc/c_ug_wincollect_log_sources.html).
3. If QRadar does not automatically detect the log source, add a Microsoft DNS Debug log
source on the QRadar Console.
Enabling DNS debugging on Windows Server
Enable DNS debugging on Windows Server to collect information that the DNS server sends and
receives.

Before you begin


The DNS role must be installed on the Windows Server.

Important: DNS debug logging can affect system performance and disk space because it provides
detailed data about information that the DNS server sends and receives. Enable DNS debug logging
only when you require this information.

Procedure
1. Open the DNS Manager with the following command:
dnsmgmt.msc
2. Right-click the DNS server and click Properties.

3. Click the Debug Logging tab.

4. Select Log packets for debugging.

5. Enter the File path and name, and Maximum size.

Important: The File path and name, need to align with the Root Directory and File Pattern you
provided when the Microsoft DNS debug log source was created in QRadar.

6. Click Apply and OK.

Microsoft DNS Debug sample event message


Use this sample event message to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then
remove any carriage return or line feed characters.

Microsoft DNS Debug sample message when you use the Syslog protocol
The following sample event shows a DNS type A query.

Aug 01 07:46:17 microsoft.dns.test AgentDevice=WindowsDNS AgentLogFile=dns.log


PluginVersion=192.168.63.93 Date=1/08/2019 Time=7:46:13 Thread ID=a.m. 0E40
Context=PACKET Message= Internal packet identifier=000000A018724240 UDP/TCP
indicator=UDP Send/Receive indicator=Snd Remote IP=192.168.113.142 Xid (hex)=0f5f
Query/Response=Q Opcode=Q Flags (hex)=0001 Flags (char codes)=D ResponseCode=NOERROR
Question Type=A Question Name=d3hb14vkzrxvla.cloudfront.net

You might also like