RSA Product Set: Security Analytics, NetWitness Logs & Network
As per the supported event source guide, DNS server logs are meant to be collected through the File and Syslog integration methods only. However, a customer might have a requirement to collect DNS server logs through WinRM. DNS logs are generally part of a domain controller’s application channel.
Though collecting the DNS logs from the Windows application channel using WinRM is not a supported collection method for RSA NetWitness, the following steps can be used to setup DNS log collection via WinRM. Using this method may not provide full log message coverage and out of the box parsing is not supported. RSA makes no claim that this will work 100% of the time and RSA NetWitness Support cannot assist with its troubleshooting. The customer would have to build a custom parser for any logs collected in this manner.
The above command will set the log configuration of the various event log channels.
(A;;0x1;;;) is the SID of the “Event Log Readers” group. “A” is Allow. “0x1” provides Read Access to the channel.
This will help you in collecting DNS Server logs in RSA NetWitness through the WINRM method.