000035864 - How to collect DNS Server logs through WINRM integration in RSA Netitness

Document created by RSA Customer Support Employee on Jan 25, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035864
Applies To

RSA Product Set:- Netwitness
RSA Product/Service Type:- Log Collector
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS


As per the supported event source guide, DNS server logs are meant to be collected through File and Syslog integration method only. However, a customer might have a requirement to collect DNS server logs through winrm. DNS logs are generally part of a domain controller’s application channel.
See also https://community.rsa.com/docs/DOC-40246 


Though collecting the DNS logs from the windows application channel using winrm is not a supported collection method for Netwitness, the following steps can be used to setup DNS log collection via WinRM. Using this method may not provide full log message coverage and out of the box parsing is not supported. RSA makes no claim that this will work 100% of the time and Netwitness Support cannot assist with its troubleshooting. The customer would have to build a custom parser for any logs collected in this manner.

Note: It is strongly suggested to use the supported method for collecting DNS logs via the file reader (Netwitness supported) which would give more useful information from the out of the box parser.


1. Customer would require assistance from their Windows administrator in order to create a custom channel which includes the required DNS logs. 
2. Create a user account to be used with WinRM and add that user to “Event log Readers” group.
3. Execute the below command on the Windows server and you will see below output
C:\>wevtutil gl “DNS Server”

User-added image
4. Copy the SDDL String from the output produced by the Windows server. 
     Example: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)

Note: The SDDL line is unique per event type and could be different on your system. Do not use the example string in the previous step.

5. Execute the command below by pasting the copied SDDL string from the above step, and append with the string, "(A;;0x1;;;S-1-5-32-573) "
C:\>wevtutil sl “DNS Service” /ca:existing-SDDL-string(A;;0x1;;;S-1-5-32-573)
This command will s(set) l(log) configuration of the various event log channels.
(A;;0x1;;;) is the SID of the “Event Log Readers” group. “A” is Allow. “0x1” provides Read Access to the channel.

Good article (External URL/Not RSA) with an explanation of the SDDL string is located here:- http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008.aspx

This will help you in collecting DNS Server logs in Netwitness through the WINRM method