Syslog - Collecting Internal DNS

Reply
Highlighted
L1 Bithead

Syslog - Collecting Internal DNS

Hey Everyone,

 

I noticed my Syslog box isn't receiving internal DNS information from the Palo.  I originally thought the URL log type would capture internal information (yes i'm aware what URL stands for, but I could hope).  However that doesn't seem to be the case.

 

Is there a particular field, log type, or severity level I can enable to collect internal dns names and services?

 

- Jeff

Tags (3)
Highlighted
Cyber Elite

Re: Syslog - Collecting Internal DNS

Hello,

I'm not sure if hte PAN does this for you or if there is a way to accomplish this. However for us our SIEM does this on its end.

 

Regards,

Highlighted
L4 Transporter

Re: Syslog - Collecting Internal DNS

What are you actualy trying to achive/log?

 

Rob

Highlighted
L1 Bithead

Re: Syslog - Collecting Internal DNS

Trying to collect internal dns records in Palo Alto's Splunk app.  That way we can better correlate events and threats when they happen.

Highlighted
Cyber Elite

Re: Syslog - Collecting Internal DNS

@JeffFredericks

Do you want to have DNS logs in your Splunk server or do you want the DNS names for the IPs in the logs? For the names you can export the DNS Names and create a lookup table on your splunk server.

Highlighted
L1 Bithead

Re: Syslog - Collecting Internal DNS

DNS Names for the IPs in the logs.

I would love to know how to export that info.

Highlighted
L4 Transporter

Re: Syslog - Collecting Internal DNS

Do we assume your DNS server is Windows Server??

Highlighted
L4 Transporter

Re: Syslog - Collecting Internal DNS

And are all your IP's static/reserverd?

Highlighted
L1 Bithead

Re: Syslog - Collecting Internal DNS

Windows Server + Static/reserved

Highlighted
L4 Transporter

Re: Syslog - Collecting Internal DNS

You can export the zone via MMC, or you could powershel the export and run it periodicaly.

 

Rob

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!