I did something similar at a previous company, keep in mind that this was before ArcSight had a connector for this so I was making this up as I went along.

Using RedHat boxes with Samba client, I mapped a drive to the remote DNS servers that the MS admins created for me.  I would make sure the higher usage DNS servers were not all on the same VM.   I then setup a script that tails all of those logs across the enterprise and converted into CEF using perl.   That was 2009 and over 60 DNS servers.

Today I would do the same with the ArcSight MS Dns Trace or a Flex connector.  Set up the shares pull/tail the logs into a couple of local log files and have multiple connectors reading those logs.

This saves you in two places.  One you don't have to install connectors on your DNS servers.  Two you can have better control of the connectors when they are not on corporate infrastructure.  With this method, even on our busiest DNS servers, the admins of those boxes did not notice any performance impact. 

Hope this helps, I don't have any of the code but its a start.  ArcSight Support would probably not support this in anyway but its my hack and it worked for the three plus years I was there.

Hello Eric,

We are brainstorming in the same way but now that a SmartConnector exists, we would like to use it of course... Thank you for your feedback!

Hi,

There's a new connector now for Multiple Log files, but i'm facing an issue with it. I get "Folder [xyz] does not exist"

Any ideas?

Mustapha,

Have you gone through these troubleshooting steps in the SmartConnector documentation?

Hopefully one of these steps solves the issue.