topic Re: WIndows DNS debug log becomes deleted in Getting Data In

WIndows DNS debug log becomes deleted

realdridgespl — Tue, 14 May 2013 14:42:49 GMT

On a Windows 2008 domain controller, DNS debug logging enabled, so that queries can be captured by Splunk. The DNS debug log is called "D:\dns-log\dns-log.txt"

That file is being monitored by Splunk and it successfully is added to Splunk indexer.

Problem:
This log file keeps disappearing from its host after some number of hours or days.

If we restart the Microsoft DNS service, the log file is recreated and Splunk resumes indexing, minus the lost period of time when the file was missing.

Is there any way that the Splunk Universal Forwarder could be causing the file to be deleted?

I have not yet enabled Windows file auditing because that is quite resource intensive on the host.

Re: WIndows DNS debug log becomes deleted

wrangler2x — Tue, 14 May 2013 17:01:38 GMT

If your inputs.conf stanza for this input is of the type

[monitor://<path>]

Then this is non-destructive. If your inputs.conf stanza for this input is of the type

[batch://<path>]

Then this could be destructive, although such a stanza should also have the line

move_policy = sinkhole

to be properly destructive (e.g., index the file and delete it).

Re: WIndows DNS debug log becomes deleted

realdridgespl — Tue, 14 May 2013 17:14:44 GMT

Thanks for the idea -- but we are not using that type of config.

Ours is:

[monitor://D:\dns-log]
disabled = 0
index = WinEvtDns
sourcetype = dns

Re: WIndows DNS debug log becomes deleted

wrangler2x — Tue, 14 May 2013 17:38:32 GMT

Then this is a non-destructive monitor.

Something else is removing your file.

Re: WIndows DNS debug log becomes deleted

JeremyHagan — Sun, 03 Nov 2013 22:51:15 GMT

Did you ever find the answer to this? It is happening to me too. It seems to be when the log file reached its maximum size it is deleted and recreated and during this process the file creation fails.

Perhaps it fails to recreate the file because Splunk has a file handle on it.

Re: WIndows DNS debug log becomes deleted

flewenda — Fri, 15 Nov 2013 11:17:08 GMT

I came across interesting article when digging for info on the same subject - (not enough karma to paste the link) try googling for "Gathering detailed DNS debug logs from AD DNS" or go to godlessheathenmemoirs blog at blogspot dot com and look at August 2011 archive.

Haven't tried the tricks myself yet (there are always other priorities) but it might help.

Re: WIndows DNS debug log becomes deleted

JeremyHagan — Sun, 17 Nov 2013 21:57:03 GMT

I've already read the "godlessheathenmemoirs" article and the "0x80000000 Logs write-through transactions" setting is enabled in my environment. It hasn't made it any better.

Re: WIndows DNS debug log becomes deleted

kmcconnell — Tue, 10 Dec 2013 20:09:10 GMT

Was you able to find a solution for you problem? I think I may have a similiar issue.

Re: WIndows DNS debug log becomes deleted

dstaulcu — Wed, 14 Jan 2015 03:32:37 GMT

You should use MonitorNoHande input type instead of monitor since dns log component is very sensitive to file access collisions.