RSA Product Set:- Netwitness
As per the supported event source guide, DNS server logs are meant to be collected through File and Syslog integration method only. However, a customer might have a requirement to collect DNS server logs through winrm. DNS logs are generally part of a domain controller’s application channel.
Though collecting the DNS logs from the windows application channel using winrm is not a supported collection method for Netwitness, the following steps can be used to setup DNS log collection via WinRM. Using this method may not provide full log message coverage and out of the box parsing is not supported. RSA makes no claim that this will work 100% of the time and Netwitness Support cannot assist with its troubleshooting. The customer would have to build a custom parser for any logs collected in this manner.
1. Customer would require assistance from their Windows administrator in order to create a custom channel which includes the required DNS logs.
4. Copy the SDDL String from the output produced by the Windows server.
Note: The SDDL line is unique per event type and could be different on your system. Do not use the example string in the previous step.
5. Execute the command below by pasting the copied SDDL string from the above step, and append with the string, "(A;;0x1;;;S-1-5-32-573) "
This will help you in collecting DNS Server logs in Netwitness through the WINRM method