New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Absent Member.
Absent Member.
2374 views

DNS Analytic Event Connector?

Does anyone have any experience setting up a connector to grab these logs "DNS ANALYTIC EVENTS"?  Our sysadmins mentioned this as an alternate to getting the "performance hitting" DNS Debug logs.  The question is, can we get it in ArcSight?  Here is a link w/more info -- DNS Logging and Diagnostics

Labels (1)
0 Likes
Reply
19 Replies
Highlighted
Absent Member.
Absent Member.

trying to refresh this thread and get some feedback.... has anyone heard of this? working with it?

any info would be most helpful!

0 Likes
Reply
Highlighted
Micro Focus Expert
Micro Focus Expert

Stay tuned.....

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

thanks, any info at all would be greatly appreciated!

0 Likes
Reply
Highlighted
Lieutenant Lieutenant
Lieutenant

Anyone have luck this?

0 Likes
Reply
Highlighted
Fleet Admiral
Fleet Admiral

Currently we dont process these logs that easily, but with the latest generation WINC (Windows Native Connector), we now support access to all Event Log folders and logs. We had a certain amount of capability to process custom logs in the Event Log in the past, but it was some what restrcicted and limited.

However with the WINC we now have the capability to read this, but please note that you will need to create a FlexConnector for the connector itself. Its not easy, but it can be done. Its detailed in the documentation and what to do on this here -

0 Likes
Reply
Highlighted
Lieutenant Lieutenant
Lieutenant

Thank You.  I did use the SmartConnector for Microsoft Windows Event Log - Native for reference and I have some questions.  You mentioned using a Flex Connector, but the I  wouldn't be using the connector Microsoft Windows Event Log – Native.   So I'm assuming I  use the Native connector and add a custom log. (?)  If that is true, then am I following the Create and Deploy Your Own Parser - section?

0 Likes
Reply
Highlighted
Fleet Admiral
Fleet Admiral

Yes, you are correct - use the "create and deploy your own parser" section of the WinC documentation. Its basically what we call a sub-parser in the connector framework and all connectors support this. But basically you are adding in a little extra to the standard parser to process the currently unparsed data.

Confusing I know, but we will be adding a lot more to the WinC over time and supporting many more sources and formats, but getting the technology right was the critical thing.

0 Likes
Reply
Highlighted
Lieutenant Lieutenant
Lieutenant

If I could trouble you one more time.  I see in the guide to configure parsing the config file should follow this path and file name \{Normalized Channel}\{Normalized ProviderName}.sdkkeyvaluefilereader. properties.  In this case the channel field from the event is Microsoft-Windows-DNSServer/Analytical.  I’ve tried to normalize it...

  • microsoft_windows_dnsserver
  • microsoft_windows_dnsserver\analytical  (analytical is a sub directory)
  • microsoft_windows_dnsserver_analytical

This is the name of my properties file microsoft_windows_dnsserver.sdkkeyvaluefilereader.properties and this is my format (not sure if that is correct as well).  Any help you could provide is appreciated.

key.delimiter=&&

key.value.delimiter==

key.regexp=([^&=]+)

event.deviceVendor=__getVendor("Microsoft")

conditionalmap.count=1

conditionalmap[0].field=event.externalId

conditionalmap[0].mappings.count=2

# DNS Event 257

conditionalmap[0].mappings[0].values=256

conditionalmap[0].mappings[0].event.flexString1=

conditionalmap[0].mappings[0].event.data=TCP

conditionalmap[0].mappings[0].event.data=InterfaceIP

conditionalmap[0].mappings[0].event.data=Destination

# DNS Event 257

conditionalmap[0].mappings[0].values=257

conditionalmap[0].mappings[0].event.flexString1=

conditionalmap[0].mappings[0].event.data=TCP

conditionalmap[0].mappings[0].event.data=InterfaceIP

conditionalmap[0].mappings[0].event.data=Destination

0 Likes
Reply
Highlighted
Vice Admiral
Vice Admiral

Hi Manny,

The correct path for the subparser should be *\current\user\agent\fcp\winc\microsoft_windows_dnsserver_analytical\microsoft_windows_dnsserver.sdkkeyvaluefilereader.properties.

Apart from that, I think you key.delimiter and key.value.delimiter are not correct. Taking a look at the raw event of one of these events we can see the following:

"{""System"":

  {""EventId"":""257"",

  ""Version"":""0"",

  ""Channel"":""Microsoft-Windows-DNSServer/Analytical"",

  ""ProviderName"":""Microsoft-Windows-DNSServer"",

  ""Computer"":""hbwenfi.lab.net"",

  ""EventRecordID"":""579"",

  ""Keywords"":""2"",

  ""Level"":""Information"",

  ""Opcode"":""Info"",

  ""Task"":""LOOK_UP"",

  ""ProcessID"":""1512"",

  ""ThreadID"":""1616"",

  ""TimeCreated"":""1443452446998"",

  ""UserId"":""NT AUTHORITY\\SYSTEM""},

  ""EventData"":

  {""TCP"":""0"",

  ""InterfaceIP"":""1.1.1.1"",

  ""Destination"":""2.2.2.2"",

  ""AA"":""1"",

  ""AD"":""0"",

  ""QNAME"":""_ldap._tcp.lab.net."",

  ""QTYPE"":""6"",

  ""XID"":""31426"",

  ""DNSSEC"":""0"",

  ""RCODE"":""0"",

  ""Port"":""62131"",

  ""Flags"":""33936"",

  ""Scope"":""Default"",

  ""Zone"":""lab.net"",

  ""BufferSize"":""162"",

""PacketData"":""7ACdfgsdgvdf669727475616C6C6162036dfdsafd6F00000038400000258000004B00000012CC055000100010000012C0004AC1A127C0000290000000""}}"

My parser so far is as follows:

key.delimiter=,

key.value.delimiter=:

key.regexp=""([^&=]+)""

trim.tokens=true

trim.message=true

trim.keys=true

event.deviceVendor=__getVendor("Microsoft")

event.deviceProduct=__stringConstant("DNS server")

conditionalmap.count=1

conditionalmap[0].field=event.externalId

conditionalmap[0].mappings.count=2

conditionalmap[0].mappings[0].values=256

conditionalmap[0].mappings[0].event.name=__stringConstant("Evento 256")

conditionalmap[0].mappings[1].values=257

conditionalmap[0].mappings[1].event.name=__stringConstant("Response Success")

conditionalmap[0].mappings[1].event.requestUrl=QNAME

I've managed to set event.name based on ID, but I'm still stucked trying to get the values for the rest of the fields (right now, trying to get requestUrl).

Any help would also be really appreciated here.

Regards,

Gabriel Crespo

0 Likes
Reply
Highlighted
Commodore
Commodore

Hello Gabriel!

Any progress on your problem?

I faced the same problem but with getting Oracle data from EventData Windows event..

Thanks in advanced

Aleks

0 Likes
Reply
Highlighted
Vice Admiral
Vice Admiral

Hi everyone,

After some work and getting some help from HP (thank you guys!) I finally got it working. Find the file attached.

Please, note the file is provided as is and without any guarantee on my side. Also, note the "stringConstant" fields are in Spanish.

Enjoy!

Gabriel Crespo

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.