Idea ID: 2877620

DNS Analytics Logs not supporting by ArcSight Smartconnector version 8.4

Status: New Idea

Hi Team,

We tried to pull the DNS Analytical logs from Microsoft Windows 2019 using windows native connector version Smart connector version 8.4.2.

But we are not able to receiving the events. 

After enabling the DNS events it was showing into below path in etl format.

%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl

First observation - After analyzing the logs we got that the log format of DNS Analytics logs was " *.etl" which is not supported by ArcSight.

Second observation -  We have changed it to .evtx on DNS server but it was not loading into event viewer hence still we are not able to read the logs using custom fields "Microsoft-Windows-DNSServer/Analytical".

Third observation - After getting a message on DNS server we stopped logging to see events on event viewer and we made it stop logging and post that we started receiving the logs on ESM and Logger.

ISSUE -  The logs .evtx is suppoted by Smart connector but while changing it to .evtx but logs not loading into event viewer and smart connector can read logs from event viewer only.

Support required from ArcSight team -  Please add the feature into smart connector to read .etl file as well to read the DNA Analytics logs or check how we can continuously load .evtx logs onto event viewer, either way can help lot of customer to overcome this situation.

Regards,

Amresh Kumar

M +91-9871002123