Microsoft DNS Debug

The JSA DSM for Microsoft DNS Debug collects events from a Microsoft Windows system.

The following table describes the specifications for the Microsoft DNS Debug DSM:

Table 1: Microsoft DNS Debug DSM specifications
Specification	Value
Manufacturer	Microsoft
DSM name	Microsoft DNS Debug
RPM file name	DSM-MicrosoftDNS-`JSA_version-build_number`.noarch.rpm
Supported versions	Windows Server 2008 R2 Windows Server 2012 R2 Windows Server 2016
Protocol	WinCollect Microsoft DNS Debug
Event format	LEEF
Recorded event types	All operational and configuration network events.
Automatically discovered?	Yes
Includes identity?	Yes
Includes custom properties?	No
More information	http://www.microsoft.com

To integrate Microsoft DNS Debug with JSA, complete the following steps:

If automatic updates are not enabled, download and install the most recent version of the following RPMs from the Juniper Downloads in the order that they are listed on your JSA Console:
- .sfs file for WinCollect
- DSMCommon RPM
- Microsoft DNS Debug RPM
Configure WinCollect to forward Microsoft DNS Debug events to JSA. For more information, see Juniper Secure Analytics WinCollect User Guide.

If JSA does not automatically detect the log source, add a Microsoft DNS Debug log source on the JSA console. The following table describes the parameters that require specific values for Microsoft DNS Debug event collection:

Table 2: Microsoft DNS Debug log source parameters
Parameter	Value
Log Source type	Microsoft DNS Debug
Protocol Configuration	WinCollect Microsoft DNS Debug
Log Source Identifier	The IP address or host name of the device from where JSA collects Microsoft Windows DNS Server events.
File Reader Type	Reads file contents. Both options have basic unicode encoding support for byte-order marks. If you choose the Text (file held open) option, then WinCollect maintains a shared read and write lock on the monitored log file. If you choose the Text (file open when reading) option, then WinCollect maintains a shared read and write lock on the log file only when it reads the file.
File Monitor Type	Detects file and directory changes. The Notification-based (local) option uses the Windows file system notifications to detect changes to your DNS log. The Polling-based (remote) option monitors changes to remote files and directories. The agent polls the remote DNS log and compares the file to the last polling interval. If the log contains new entries, the entries are retrieved.
File Pattern	The regular expression (regex) required to match the DNS debug log file set in the DNS manager.
Root Directory	The directory in which WinCollect monitors files. The directory must be Local File System for local collection, or a valid MS Windows universal naming convention (UNC) path for remote collection. This value must match the file path that is configured in your DNS manager. Note: Due to restrictions in distributed systems, the path can't be verified in the user interface.

Enabling DNS debugging on Windows Server

Enable DNS debugging on Windows Server to collect information that the DNS server sends and receives.

The DNS role must be installed on the Windows Server.

Note:

DNS debug logging can affect system performance and disk space because it provides detailed data about information that the DNS server sends and receives. Enable DNS debug logging only when you require this information.

Open the DNS Manager with the following command:

dnsmgmt.msc
Right-click the DNS server and click Properties.
Click the Debug Logging tab.
Select Log packets for debugging.
Enter the File path and name, and Maximum size.

Note:
The File path and name, need to align with the Root Directory and File Pattern you provided when the Microsoft DNS debug log source was created in JSA.
Click Apply and OK.