1 Requirements
First, make sure our log servers are reachable. You can find the networking requirements here:
Note: The above article is only available for SecureDNS customer accounts.
2 Enable DNS debug logging
To find out what user is performing a malicious query. You will need to have the DNS logs
enabled. To do this, navigate to the DNS server, right click and select properties:
Under the event logging tab, make sure to select All events
Under Debug logging select the following as on the screenshot above. Put a wanted file path and maximum size.
3 Downloading Filebeat
Filebeat can be download from our Portal:
https://portal.secutec.com/documents -> Configuration -> SecureDNS_Filebeat_8.10.2_Windows_Certs2023
4 Installing Filebeat
The following software will need to be installed on the device where the DNS Logs need to be grabbed from. Typically this will be the domain controller.
Extract the .zip file to c:\filebeat
Make sure to unblock the file, so that all the files can be accessed during installation.
You will see the following files:
Files that are important are the following:
Filebeat.yml -> Contains the configuration and parameters
Install-service-filebeat.ps1 -> Contains the install script to install the filebeat service
4.1 Parameters that need to be changed
The following parameters need to be changed correctly in Filebeat.yml:
paths:
- c:\dnslogs\log.txt
fields:
env: prod
client: <ClientName>
site: <ClientSite>
Field client needs to be adapted, as well as the sitename.
We will provide you with the correct syntax as otherwise the enrichment won’t work. If not received yet, please contact Secutec to get the correct field names.
4.2 Not unpacked to C:\Filebeat
When you have unpacked the contents of the folder to another folder (NOT c:\filebeat) you will need to change some extra parameters in the filebeat.yml
Change the filepaths to the correct folder and make sure to keep “\\” as this is needed to
make it work.
Example:
If the contents of the .zip file has been extracted to c:\files\app\ you will need to change the
paths as follows:
c:\\files\\app\\ca.crt
c:\\files\\app\\beat.crt
c:\\files\\app\\beat.key
5 Installing/starting the Filebeat service
5.1 Check if the Filebeat has a connection
In powershell you can simply test the connection by giving the command
.\filbebeat test output in the Filebeat directory. The output should look like this for all servers:
5.2 Install the Filebeat service
Run a powershell window with admin rights and navigate to the filebeat folder.
Execute install-service-filebeat.ps1
Once this has been done, a service is being created.
Type: net start filebeat
➔ This will start the service
OR
Open services.msc to start the service.
Right-click the service and start it.
The logs should now automatically be sent to the SecureDNS service for enrichment of the
logs. Once this has been done, please contact Secutec to make sure we are receiving the
logs in our environment.