Accenture MDR Quick Start Guide for Microsoft® DNS (TCP)

This quick start guide will help Accenture MDR customers configure Microsoft® DNS server to send logs to the Log collection Platform (LCP).

This document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found at Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Configuring Microsoft DNS

To configure Microsoft DNS, follow the steps below.

Note: Microsoft DNS collector for Accenture supports only Regional [English United States] M/d/yyyy h:mm:ss tt date format which is recommended format by Windows. This change won't impact on the device time zone, it is just a date format change So, make sure device date format is set to [English United States] M/d/yyyy h:mm:ss tt before configuring device for log collection.

1. Navigate to the Domain Name System Microsoft Management Console using below path.

• For Microsoft Server 2008 and 2008 R2, Go to Start Menu > Program Files > Administrative Tools > DNS Manager.

• For Microsoft Server 2012 and 2012 R2,  Go to Start Menu > Administrative Tools > DNS Manager

2. In the Domain Name System Microsoft Management Console (DNS MMC), right-click the current DNS server, and then click Properties.                                 

Open

3. Under the Debug Logging tab, enable the below checkboxes.

• Log packets for debugging.

• Ensure the Incoming, UDP and TCP check boxes are enabled under Packet direction.

• Ensure the Queries/Transfers, Request and Response check boxes are enabled under Packet contents.

Open

4. Click the Ok button.

 NOTE:

• Ensure that the servers drive does not exceed the maximum capacity of file size, it is recommended that the file to be placed on a drive with enough space with a max file size between 500MB and 1GB.

• Debug logging can affect overall server performance and consumes disk space, so please monitor the DNS performance and health on a regular basis.

Steps to configure Windows NxLog Agent for Non TLS TCP Log flow on port 10013

1. Download and Install NxLog agent from https://nxlog.co/products/nxlog-community-edition/download

2. Go to services.msc and stop the nxlog service.

3. Go to folder C:\Program Files (x86)\nxlog\data and delete configcache.dat.

4. For Windows Agent , go to the installed location C:\Program Files (x86)\nxlog\conf 

5. Copy the below Windows DNS(Non - TLS) steps to nxlog.conf file attached.

Open

6. Replace LCP_IP_Address with actual LCP IP address in nxlog.conf.

7. Change dns.log file location against File

8. Now start the nxlog service from services.msc.

9. NxLog agent logs will be available at location C:\Program Files (x86)\nxlog\data\nxlog.log.

Steps to configure Windows NxLog Agent for TLS TCP Log flow on port 10014

1. Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download

2. Go to services.msc and stop the nxlog service.

 Note: Please contact the Accenture MDR onboarding team to obtain the certificate.

3. Place the certificate in the DNS server which is obtained from the MDR onboarding team at your desired location.

4. Go to folder C:\Program Files (x86)\nxlog\data and delete configcache.dat.

5. For Windows Agent, go to installed location C:\Program Files (x86)\nxlog\conf 

6. Copy the below Windows DNS(TLS) steps to nxlog.conf file attached.

Open

7. Replace LCP_IP_Address with actual LCP IP address in nxlog.conf.

8. Change dns.log file location against File.

9. Provide the file location for the CA certificate on the DNS server

10. Now start the nxlog service from services.msc.

11. NxLog agent logs will be available at location C:\Program Files (x86)\nxlog\data\nxlog.log.

LCP Configuration Parameters

Table 1-2: The Microsoft DNS TCP event collector(Syslog - 3878)properties to be configured by MDR given in the table.