topic Windows DNS Logs in Getting Data In

Windows DNS Logs

caspertz — Mon, 17 Mar 2014 13:52:54 GMT

Using splunk 6.0.1 - trying to do some testing with Windows DNS logs to see if can get the data formatted and dropping events we dont want to keep. I found some answers on the splunk site, but either I have something misconfigured, I am missing something or some other issue is cropping up, I an unable to get the SDECMD and the TRANSFORM to both work. We have a TRANSFORM that will drop certain events - this is working. We also want to add in the SEDCMD which will change the output from (3)www(3)ibm(3)com type output to be .www.ibm.com output. The SEDCMD part is not working. Is this because of a misconfiguration on my part, is it due to already having data that is indexed or something else? This is my first foray into using splunk. Was able to set up Windows DHCP logs pretty quickly. I created a basic app for the windows dns logs to do some testing. I have tried different options with getting the SEDCMD working. Can anyone help?

Re: Windows DNS Logs

wbfoxii — Mon, 28 Sep 2020 16:11:33 GMT

Here's what I've got in mine and it's working:

These files are to be installed on the indexers...

props.conf



[windns_query]

SEDCMD-win_dns = s/\(\d+\)/./g

EXTRACT-src_ip-fqdn = Rcv\s(?P[^\s]+)\s+.+]\s(?P[^\s]+)\s+\.(?P[^\s]+)\.$

TRANSFORMS-windns = windnsnull

transforms.conf



[windnsnull]

REGEX = (^[^\d]|IN-ADDR|in-addr|\sSnd\s|\sR\sQ\s|\.ip6\.arpa|NXDOMAIN|windowsupdate\.com)

DEST_KEY = queue

FORMAT = nullQueue

Re: Windows DNS Logs

caspertz — Thu, 20 Mar 2014 12:52:13 GMT

Thanks for the responses.

I finally got mine to work. I had to modify my transforms to use the modified output after my SEDCMD.

Now I have the other issue with the dns logs not being recreated. Do you have that same issue? Are you using the Windows app for your logs?

Re: Windows DNS Logs

landen99 — Tue, 29 Apr 2014 13:09:26 GMT

This should probably be titled "DNS transformations and filtering". "Windows DNS Logs" gives the implication that there will be discussion of the meanings and interpretations of the logs themselves.

Re: Windows DNS Logs

kormot — Fri, 04 Mar 2016 20:43:09 GMT

I followed and copied exactly the props.conf and transforms.conf

but I am still not able to extract and remove the (3)www(3)ibm(3)com

Not sure what I am missing; I am on a clustered index.

My index are dns and also created win_dns just to follow the examples.

Am I doing something wrong?

Re: Windows DNS Logs

vasildavid — Fri, 04 Mar 2016 20:58:43 GMT

Kormot, try this for the SEDCMD in your props:

SEDCMD-win_dns = s/\(\d+\)/./g

Note the escaped parenthesis and the \ before the d as well. These look to be missing from wbfoxii's props.conf due to formatting.