000035864 - How to collect DNS Server logs through WINRM integration in RSA NetWitness

Document created by RSA Customer Support Employee on Jan 25, 2018Last modified by RSA Customer Support Employee on Mar 26, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000035864
Applies To

RSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS


As per the supported event source guide, DNS server logs are meant to be collected through the File and Syslog integration methods only. However, a customer might have a requirement to collect DNS server logs through WinRM. DNS logs are generally part of a domain controller’s application channel.
See the "Microsoft Windows DNS Event Source Configuration Guide"  (https://community.rsa.com/docs/DOC-40246).


Though collecting the DNS logs from the Windows application channel using WinRM is not a supported collection method for RSA NetWitness, the following steps can be used to setup DNS log collection via WinRM. Using this method may not provide full log message coverage and out of the box parsing is not supported. RSA makes no claim that this will work 100% of the time and RSA NetWitness Support cannot assist with its troubleshooting. The customer would have to build a custom parser for any logs collected in this manner.

Note: It is strongly suggested to use the supported method for collecting DNS logs via the File Reader (RSA NetWitness supported), which would provide more useful information from the out of the box parser.

  1. The customer would require assistance from their Windows administrator in order to create a custom channel which includes the required DNS logs. 
  2. Create a user account to be used with WinRM and add that user to the “Event Log Readers” group.
  3. Execute the below command on the Windows server and you will see the below output:

    C:\>wevtutil gl “DNS Server”

    User-added image
  4. Copy the SDDL String from the output produced by the Windows server. 


    Note: The SDDL line is unique per event type and could be different on your system. Do not use the example string in the previous step.

  5. Execute the command below by pasting the copied SDDL string from the above step, and append with the string, "(A;;0x1;;;S-1-5-32-573) "Example:

C:\>wevtutil sl “DNS Service” /ca:existing-SDDL-string(A;;0x1;;;S-1-5-32-573)

The above command will set the log configuration of the various event log channels.

(A;;0x1;;;) is the SID of the “Event Log Readers” group. “A” is Allow. “0x1” provides Read Access to the channel.

A good article (External URL/Not RSA) with an explanation of the SDDL string is located here: http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008.aspx

This will help you in collecting DNS Server logs in RSA NetWitness through the WINRM method.