Document toolboxDocument toolbox

Enable Windows DNS logs

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 23, 2022
3 min read
[ 1 Overview ] [ 2 Configuration ] [ 3 Endpoint Agent Manager ] [ 4 Sending to Devo ] [ 5 Data access ]

Overview

DNS is a system that is used in TCP/IP networks for naming computers and network services. DNS naming locates computers and services through user-friendly names. When a user enters a DNS name in an application, DNS services can resolve the name to other information that is associated with it, such as an IP address.

Configuration

DNS debug logging

  1. Open the DNS Manager with the following command: dnsmgmt.msc.

  2. Right-click the DNS server and click Properties.

  3. Click the Debug Logging tab.

  4. Select Log packets for debugging.

  5. Enter the File path and name, and Maximum size.

  6. Click Apply and OK.
    Configuration sample:

Endpoint Agent Manager

Using ansible roles (recommended)

  1. Search for the options.yaml file in the Devo EA Manager installer (usually in playbooks/roles/deam-packs/files/devo-packs/options.yaml).

  2. Open it with your preferred text editor, search for Windows section and add a custom configuration for fetchfiles with your previously configured log file path with a custom tag and multiline processing enabled with the following regular expression as a separator: ^\d\d?/\d\d?/\d{4}

The following screenshots shows a configuration sample:

If you are running a new deployment, continue with the normal process of deployment, the change will not be applied until the devo-endpoint-agent is run.

If you have an existing deployment, run the deam-packs playbook from your deployer folder to apply the configuration: ansible-playbook -i inventories/<your_inventory_name>.yaml playbooks/deam-packs.yaml.

Endpoints will refresh their configuration every X seconds according to the config_refresh parameter. If the configuration is not refreshed automatically after the period has passed, you might need to restart the endpoints so the configuration takes place.

Use admin page in EA Manager Web UI

Be aware that modifying the osquery configuration via the WebUI, just applies to the actual config instance of EA Manager and the changes are not replicated in the options.yaml file in the ansible playbook. This means that the changes in configuration done in the Web UI need to be consolidated to the options.yaml file in the ansible playbooks before performing any new deployment in the ansible, or else the applied changes will be overwritten.

  1. Log into your Devo EA Manager administration console (https://<devo_ea_manager_ip>:8080).

  2. Once logged in, go to the osquery configuration page just by adding /settings/osquery to the URL (example: https://<devo_ea_manager_ip>:8080/settings/osquery) (URL for EA prior to 1.2.0 is https://<devo_ea_manager_ip>:8080/admin/osquery).

  3. You see a text editor with the loaded DEA Manager options.yaml file as in the following screenshot:

4. You must search for the windows -> devo_extensions -> fetchfiles section and add your previously configured log file path with a custom tag and multiline processing enabled with the following regular expression as a separator: content_separator: ^\d\d?/\d\d?/\d{4}

Configuration sample:


 

Remember to follow these steps if you have previously deployed the pattern in fetchfiles.

Sending to Devo

These events use the fetchfiles query added by default in the DevoFetchFilesPack pack, so if the DevoFetchFilesPack pack is enabled, you do not need to change anything else.

Data access

By default, content files will be ingested line-by-line into Devo under box.devo_ea.files.dns_windows.
They can also be seen in the parent table, box.devo_ea.files.