https://community.splunk.com/t5/All-Apps-and-Add-ons/TZ-usage-for-Windows-DNS-debug-log-dealing-with-local-timestamp/m-p/356802#M43209 <P>Your statement looks a bit definitive and it does not really help to answer my question here... you do not know if I have not tried something else first... I also tried the new Windows DNS Analytic log method without getting required reliability (like others people on this forum based on what I found).</P> <P>From on what I have been told (I need to check), Stream App does require Winpcap to be installed on the Windows server. Winpcap is something we disagree to install because it does decrease local security. At least this is currently forbidden for us to install it.</P> <P>Finally (and back to my original question), I am both interested to make this DNS debug logging work but also to understand why I cannot make this TZ modification to be properly applied. Out of the DNS use case, I might have a future need to use TZ again.</P> Mon, 20 Mar 2017 06:37:43 GMT sylbaea 2017-03-20T06:37:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/TZ-usage-for-Windows-DNS-debug-log-dealing-with-local-timestamp/m-p/356796#M43203 <P>Hello,</P> <P>I have many Windows DNS servers deployed worldwide with each one configured with local time.</P> <P>Unfortunately DNS debug log is writting local time information in the log.</P> <P>I already read here several answers related to that problem, and all of them suggest to use TZ attribute in props.conf.</P> <P>I have tried several variants of that without any success so far.<BR /> Can somebody please confirm it can work when the TZ syntax is specified on the <STRONG>universal forwarder</STRONG> (not on the indexer) ?</P> <P>Thanks.</P> Wed, 15 Mar 2017 12:15:09 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/TZ-usage-for-Windows-DNS-debug-log-dealing-with-local-timestamp/m-p/356796#M43203 sylbaea 2017-03-15T12:15:09Z https://community.splunk.com/t5/All-Apps-and-Add-ons/TZ-usage-for-Windows-DNS-debug-log-dealing-with-local-timestamp/m-p/356797#M43204 <P>If you are on version 6.0 or greater, then the <CODE>TZ</CODE> value in props.conf on the forwarder has the highest precedence (except for <CODE>TZ_ALIAS</CODE> which can override it on the indexer). People forget to upgrade their forwarders all the time so be sure you are versioned high enough.</P> Wed, 15 Mar 2017 19:33:45 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/TZ-usage-for-Windows-DNS-debug-log-dealing-with-local-timestamp/m-p/356797#M43204 woodcock 2017-03-15T19:33:45Z https://community.splunk.com/t5/All-Apps-and-Add-ons/TZ-usage-for-Windows-DNS-debug-log-dealing-with-local-timestamp/m-p/356798#M43205 <P>Hello,</P> <P>Thanks for your feedback.<BR /> I do confirm I am using the latest version on my whole infrastructure (indexer, universal forwarder)<BR /> I also confirm I do not use TZ or TZ_ALIAS at indexer level for this specific source type.</P> <P>Would you see a way to troubleshoot and detect why the TZ config is not taken into account by the UF (or by the indexer) ? There is no heavy forwarder in the middle, it goes straight from the UF to the indexer.</P> <P>Here is what I configured on the UF running on Windows DNS servers:</P> <P><STRONG>inputs.conf</STRONG><BR /> [MonitorNoHandle://C:\Windows\System32\Dns\dns.log]<BR /> sourcetype=ms:windows:dns:log<BR /> source=C:\Windows\System32\Dns\dns.log<BR /> disabled=0<BR /> index = windns</P> <P><STRONG>props.conf</STRONG><BR /> [ms:windows:dns:log]<BR /> SHOULD_LINEMERGE=false<BR /> NO_BINARY_CHECK=true<BR /> CHECK_FOR_HEADER=false<BR /> KV_MODE=none<BR /> TIME_FORMAT=%m/%d/%Y %I:%M:%S %p<BR /> TZ=America/New_York</P> <P>Note: I tried many config for props.conf (from the above one up to the smallest one just with the TZ row. No change.</P> Tue, 29 Sep 2020 13:17:30 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/TZ-usage-for-Windows-DNS-debug-log-dealing-with-local-timestamp/m-p/356798#M43205 sylbaea 2020-09-29T13:17:30Z https://community.splunk.com/t5/All-Apps-and-Add-ons/TZ-usage-for-Windows-DNS-debug-log-dealing-with-local-timestamp/m-p/356799#M43206 <P>Tell me the value of <CODE>host</CODE> for this server and the timezone that it's system clock uses and I will write the configuration for you.</P> Thu, 16 Mar 2017 21:11:58 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/TZ-usage-for-Windows-DNS-debug-log-dealing-with-local-timestamp/m-p/356799#M43206 woodcock 2017-03-16T21:11:58Z https://community.splunk.com/t5/All-Apps-and-Add-ons/TZ-usage-for-Windows-DNS-debug-log-dealing-with-local-timestamp/m-p/356800#M43207 <P>Thanks for your help... Please use dummy values, I will adjust, I do not wish to expose that info publicly.</P> <P>this being said, please note that if you intend to apply TZ by host, it will unfortunately not make it as just this specific sourcetype should be adjusted (the one indexing Windows DNS debug log)... Same UF on same host is collecting plenty of others data (with different sourcetype) where timestamp is ok (event logs, perfmon, etc.)</P> <P>Regards.</P> Fri, 17 Mar 2017 06:41:34 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/TZ-usage-for-Windows-DNS-debug-log-dealing-with-local-timestamp/m-p/356800#M43207 sylbaea 2017-03-17T06:41:34Z https://community.splunk.com/t5/All-Apps-and-Add-ons/TZ-usage-for-Windows-DNS-debug-log-dealing-with-local-timestamp/m-p/356801#M43208 <P>Nobody uses the TERRIBLE Windows DNS logs anyway. The <EM>right</EM> way to log DNS flow is with Stream App for Splunk and sniffing the wire. Read about it here (and many other places). Friends don't let friends do Windows:</P> <P><A href="http://www.rfaircloth.com/2015/11/06/get-started-with-splunk-app-stream-6-4-dns/">http://www.rfaircloth.com/2015/11/06/get-started-with-splunk-app-stream-6-4-dns/</A></P> Fri, 17 Mar 2017 23:42:09 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/TZ-usage-for-Windows-DNS-debug-log-dealing-with-local-timestamp/m-p/356801#M43208 woodcock 2017-03-17T23:42:09Z https://community.splunk.com/t5/All-Apps-and-Add-ons/TZ-usage-for-Windows-DNS-debug-log-dealing-with-local-timestamp/m-p/356802#M43209 <P>Your statement looks a bit definitive and it does not really help to answer my question here... you do not know if I have not tried something else first... I also tried the new Windows DNS Analytic log method without getting required reliability (like others people on this forum based on what I found).</P> <P>From on what I have been told (I need to check), Stream App does require Winpcap to be installed on the Windows server. Winpcap is something we disagree to install because it does decrease local security. At least this is currently forbidden for us to install it.</P> <P>Finally (and back to my original question), I am both interested to make this DNS debug logging work but also to understand why I cannot make this TZ modification to be properly applied. Out of the DNS use case, I might have a future need to use TZ again.</P> Mon, 20 Mar 2017 06:37:43 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/TZ-usage-for-Windows-DNS-debug-log-dealing-with-local-timestamp/m-p/356802#M43209 sylbaea 2017-03-20T06:37:43Z