Accenture MDR Quick Start Guide for Microsoft® DNS (TCP)
This quick start guide will help Accenture MDR customers configure Microsoft® DNS server to send logs to the Log collection Platform (LCP).
This document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found at Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
Microsoft DNS server | LCP | 10014 (TCP with TLS) or 10013 (TCP with Non-TLS) | Default port |
Configuring Microsoft DNS
To configure Microsoft DNS, follow the steps below.
Note: Microsoft DNS collector for Accenture supports only Regional [English United States] M/d/yyyy h:mm:ss tt date format which is recommended format by Windows. This change won't impact on the device time zone, it is just a date format change So, make sure device date format is set to [English United States] M/d/yyyy h:mm:ss tt before configuring device for log collection.
Navigate to the Domain Name System Microsoft Management Console using below path.
For Microsoft Server 2008 and 2008 R2, Go to Start Menu > Program Files > Administrative Tools > DNS Manager.
For Microsoft Server 2012 and 2012 R2, Go to Start Menu > Administrative Tools > DNS Manager
2. In the Domain Name System Microsoft Management Console (DNS MMC), right-click the current DNS server, and then click Properties.
3. Under the Debug Logging tab, enable the below checkboxes.
Log packets for debugging.
Ensure the Incoming, UDP and TCP check boxes are enabled under Packet direction.
Ensure the Queries/Transfers, Request and Response check boxes are enabled under Packet contents.
4. Click the Ok button.
NOTE:
Ensure that the servers drive does not exceed the maximum capacity of file size, it is recommended that the file to be placed on a drive with enough space with a max file size between 500MB and 1GB.
Debug logging can affect overall server performance and consumes disk space, so please monitor the DNS performance and health on a regular basis.
Steps to configure Windows NxLog Agent for Non TLS TCP Log flow on port 10013
Download and Install NxLog agent from https://nxlog.co/products/nxlog-community-edition/download
Go to services.msc and stop the nxlog service.
Go to folder C:\Program Files (x86)\nxlog\data and delete configcache.dat.
For Windows Agent , go to the installed location C:\Program Files (x86)\nxlog\conf
Copy the below Windows DNS(Non - TLS) steps to nxlog.conf file attached.
6. Replace LCP_IP_Address with actual LCP IP address in nxlog.conf.
7. Change dns.log file location against File
8. Now start the nxlog service from services.msc.
9. NxLog agent logs will be available at location C:\Program Files (x86)\nxlog\data\nxlog.log.
Steps to configure Windows NxLog Agent for TLS TCP Log flow on port 10014
Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download
Go to services.msc and stop the nxlog service.
Note: Please contact the Accenture MDR onboarding team to obtain the certificate.
3. Place the certificate in the DNS server which is obtained from the MDR onboarding team at your desired location.
4. Go to folder C:\Program Files (x86)\nxlog\data and delete configcache.dat.
5. For Windows Agent, go to installed location C:\Program Files (x86)\nxlog\conf
6. Copy the below Windows DNS(TLS) steps to nxlog.conf file attached.
7. Replace LCP_IP_Address with actual LCP IP address in nxlog.conf.
8. Change dns.log file location against File.
9. Provide the file location for the CA certificate on the DNS server
10. Now start the nxlog service from services.msc.
11. NxLog agent logs will be available at location C:\Program Files (x86)\nxlog\data\nxlog.log.
LCP Configuration Parameters
Table 1-2: The Microsoft DNS TCP event collector(Syslog - 3878)properties to be configured by MDR given in the table.
Property | Default Value | Description |
Protocol | TCP | The default protocol for syslog. |
IP Address | Microsoft DNS Interface IP address. | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture MDR onboarding team. |
Port Number | TCP/10013 or TCP/10014 | The default port number for syslog. Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture MDR onboarding team if this is a requirement |
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.