Microsoft DNS Server

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we shall get it updated.

Use this document to install and configure the Filebeat agent to send Microsoft DNS Server logs to Samurai using the Samurai Local Collector deployed in your network.

To complete this Integration you will need to:

1. Ensure the Samurai Logstash Integration is installed on the desired local collector
2. Ensure correct network connectivity
3. Download & Install Filebeat
4. Configure & Enable Microsoft DNS Server Debug Logging
5. Configure & Start Filebeat

This guide is based on the premise of a single Samurai Local Collector installation with deployment of a single Windows host with the DNS Server service enabled and configured. Repeat these steps outlined in this guide for each Microsoft DNS Server and site.

Ensure the Samurai Logstash Integration is installed on the desired local collector

Verify in the Samurai Application that the Samurai Logstash Integration is installed on the desired Samurai Local Collector:

1. Login to the Samurai MDR web application.
2. Click Integrations from the main menu.
3. Verify that an integration with Product set to the value Logstash exists on the desired collector. 
4. Note down the IP address of the Samurai Local Collector.  Click on the integration and then on the Collector name - this will take you to the Collector details where you will find the IP address. This will be used later when configuring the Beat-agent. 
   
   If no Logstash integration has been installed, use the following guide to have it installed: Samurai Logstash Integration.

Ensure correct network connectivity

You must ensure the following connectivity requirements are fulfilled:

Download & Install Filebeat

Perform the steps outlined in Step 1: Install Filebeat as per the vendor documentation.

 Make sure to click the Windows tab for OS selection.

Configure & Enable Microsoft DNS Server Debug Logging

 All steps up until Step 4 can be ignored if DNS Server debug logging have already been enabled and configured.

1. Follow the steps outlined in To select and enable debug logging options on the DNS server as per the vendor documentation.
2. Keep default configuration for Packet direction & Packet Contents.
   
   Figure 1 – Example of default configuration once "Log packets for debugging" have been enabled.
   
3. Configure an appropriate log location and name of the log file as well as a suitable Maximum Size (bytes) according to your system needs.
4. Note down the file path that has been configured, this will be used later in the section Configure & Start Filebeat.

Configure & Start Filebeat

1. Access the Filebeat installation folder and open and edit the file filebeat.yml.
2. Modify the below template by replacing the section IP_OF_LOCAL_COLLECTOR with the IP address of the Samurai Local Collector running the Samurai Logstash Integration collected during the step Ensure the Samurai Logstash Integration is installed on the desired local collector.
3. Modify the paths section of the template to use the path that was configured for the DNS Server debug log file location from Configure & Enable Microsoft DNS Server Debug Logging.
   Follow the vendor documentation when configuring the paths section.
   

   # ============================== Filebeat inputs ===============================
   filebeat.inputs:
   - type: filestream
   id: win_dns_server
   enabled: true
   paths:
   - 'C:\dns_logs\*'
   include_lines: ['^\d{1,4}.\d{1,2}.\d{1,4}\s.*?$']
   tags: [win_dns_server]
   
   # ------------------------------ Logstash Output -------------------------------
   output.logstash:
   hosts: ["IP_OF_LOCAL_COLLECTOR:5044"]

4. Replace the default configuration of filebeat.yml with the modified template and save the file.
5. Perform the steps outlined in Step 5: Start Filebeat as per the vendor documentation to start the service.
    Make sure to click the Windows tab for OS selection.