Configuring DNS server event reception using the ETW connector

The Event Tracing for Windows connector (hereinafter also referred to as the ETW connector) is a mechanism for logging events generated by applications and drivers on the DNS server. You can use the ETW connector to troubleshoot errors during development or to look for malicious activity.

The impact of the ETW connector on DNS server performance is insignificant. For example, a DNS server running on modern hardware and getting up to 100,000 queries per second (QPS) may experience a 5% performance drop while using the ETW connector. If the DNS server gets up to 50,000 requests per second, no performance drop is observed. We recommend monitoring DNS server performance when using the ETW connector, regardless of the number of requests per second.

By default, you can use the ETW connector on Windows Server 2016 or later. The ETW connector is also supported by Windows Server 2012 R2 if the update for event logging and change auditing is installed. The update is available on the Microsoft Support website.

The ETW connector consists of the following components:

Provider is the software that generates events and sends the events to the ETW connector. For example, Windows kernels or device drivers can act as providers. When working with code, developers must specify which events the providers must send to the ETW connector. An event may represent the execution of a function that the developer considers important, for example, a function that allows access to the Security Account Manager (SAM).
Consumer is the software that receives and uses events generated by providers from the ETW connector. For example, KUMA can act as a consumer.
Controller is the software that manages the interaction between providers and consumers. For example, the Logman or Wevtutil utilities can be controllers. Providers register with the controller to send events to consumers. The controller can enable or disable a provider. If a provider is disabled, it does not generate events.
Controllers use trace sessions for communication between providers and consumers. Trace sessions are also used for filtering data based on specified parameters because consumers may need different events.

Configuring DNS server event reception using the ETW connector involves the following steps:

Configuration on the Windows side.
Creating a KUMA collector.
When creating a KUMA collector, follow these steps:
1. At step 2 of the Collector Installation Wizard:
  1. In the Type drop-down list, select the tcp connector type. You can also specify the http connector type and other connector types with verification for secure transmission.
  2. In the URL field, enter the FQDN and port number on which the KUMA collector will listen for a connection from the KUMA agent. You can specify any unoccupied port number.
  3. In the Delimiter field, enter \n.
2. At the step 3 of the Collector Installation Wizard, in the Normalizer drop-down list, select a normalizer. We recommend selecting the predefined extended normalizer for Windows events, [OOTB] Microsoft DNS ETW logs json.
3. At step 7 of the Collector Installation Wizard, add a Storage type destination for storing events. If you plan to use event correlation, you also need to add a Correlator type destination.
4. At step 8 of the Collector Installation Wizard, click Create and save service, and in the lower part of the window, copy the command for installing the KUMA collector on the server.
Installing the KUMA collector on the server.
Do the following:
1. Connect to the KUMA command line interface using a user account with root privileges.
2. Install the KUMA collector by running the command that you copied at step 8 of the Collector Installation Wizard.
3. If you want to add the KUMA collector port to the firewall exclusions and update the firewall settings, run the following commands:
  1. firewall-cmd --add-port=<collector port number>/tcp --permanent
  2. firewall-cmd --reload
The KUMA collector is installed and the status of the KUMA collector service is changed to green in the KUMA Console.
Creating a KUMA agent.
When creating a KUMA agent, follow these steps:
1. Go to the Connection 1 tab.
2. Under Connector, in the Connector drop-down list, select Create and specify the following settings:
  1. In the Type drop-down list, select the etw connector type.
  2. In the Session name field, enter the provider name that you specified when you configured the reception of DNS server events using the ETW connector on the Windows side.
3. Under Destinations, in the Destination drop-down list, select Create and specify the following settings:
  1. In the Type drop-down list, select the tcp destination type.
  2. In the URL field, enter the FQDN and port number on which the KUMA collector will listen for a connection from the KUMA agent. The value must match the value that you specified at step 2 of the Collector Installation Wizard.
4. Go to the Advanced settings tab, and in the Disk buffer size limit field, enter 1073741824.
Creating a KUMA agent service.
You need to copy the ID of the created KUMA agent service. To do that, click the KUMA agent service, and then select Copy ID in the context menu.
Creating an account for the KUMA agent.
Create a domain or local Windows user account for running the KUMA agent and reading the analytic log. You need to add the created user account to the Performance Log Users group and grant the Log on service permission to that user account.
Installing a KUMA agent on a Windows server.
You need to install the KUMA agent on the Windows server that will be receiving events from the provider. To do so:
1. Add the FQDN of the KUMA Core server to the hosts file on the Windows server or to the DNS server.
2. Create the C:\Users\<user name>\Desktop\KUMA folder on the Windows server.
3. Copy the kuma.exe file from the KUMA installation package archive to the C:\Users\<user name>\Desktop\KUMA folder.
4. Run the command interpreter as administrator.
5. Change to the C:\Users\<user name>\Desktop\KUMA folder and run the following command:
  C:\Users\<user name>\Desktop\KUMA>kuma.exe agent --core https://<DOMAIN-NAME-KUMA-CORE-Server>:7210 --id <KUMA agent service ID>
  
  In the KUMA Console, in the Resources → Active services section, make sure that the KUMA agent service is running and its status is now green, and then abort the command.
6. Start the KUMA Agent installation in one of the following ways:
  - If you want to start the KUMA agent installation using a domain user account, run the following command:
    C:\Users\<user name>\Desktop\KUMA>kuma.exe agent --core https://<DOMAIN-NAME-KUMA-CORE-Server>:7210 --id <KUMA agent service ID> –-user <domain>\<user account name for the KUMA agent> --install
  - If you want to start the KUMA agent installation using a local user account, run the following command:
    C:\Users\<user name>\Desktop\KUMA>kuma.exe agent --core https://<DOMAIN-NAME-KUMA-CORE-Server>:7210 --id <KUMA agent service ID> –-user <user account name for the KUMA agent> --install
  You will need to enter the password of the KUMA agent user account.
The KUMA Windows Agent service <KUMA agent service ID> is installed on the Windows server. In the KUMA Console, in the Resources → Active services section, if the KUMA agent service is not running and has the red status, you need to make sure that port 7210 is available, as well as the Windows collector port in the direction from the KUMA agent to the KUMA collector.

To remove the KUMA agent service on the Windows server, run the following command:

C:\Users\<user name>\Desktop\KUMA>kuma.exe agent --id <KUMA agent service ID> --uninstall
Verifying receipt of DNS server events in the KUMA collector.
You can verify that you have correctly configured the reception of DNS server events using the ETW connector in the Searching for related events section of the KUMA Console.

In this section

Configuration on the Windows side

Page top