All Apps and Add-ons

Can the Windows DNS Analytical and Diagnostic Logs add-on be deployed on a universal forwarder?

monovex
New Member

I have a Windows 2012 R2 server setup with a universal forwarder and I've dropped this TA into the apps folder. I'm looking for guidance on how to get this add-on to run and deliver the data to the Splunk cluster. I've already setup the receiver port on the Splunk cluster and it is receiving generic Windows event log data from this same forwarder.

0 Karma

rnichols
New Member

I had to make a couple of changes to the .\TS-windnsanalytical\bin\get_dns_analytics.path file to get everything to work:

  1. $SPLUNK_HOME is not set on the deployment client, so need to explicitly add the full path to SplunkUniversalForwarder.
  2. Also, the Download tarball expands to TA-windnsanalytical not TA-WindowsDNSAnalytical

Original get_dns_analytics.path file:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& '$SPLUNK_HOME\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"

Working get_dns_analytics.path file:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-windnsanalytical\bin\get_dns_analytics.ps1'"

0 Karma

triest
Communicator

Yes, it should be possible to deploy Windows DNS Analytical and Diagnostic Logs on universal forwarders.

Without more information, its hard to know why it isn't working.

Enable Inputs

According to the README, you need to enable the inputs. Looking at default/inputs.conf, there is one scripted input. Did you create a local/inputs.conf? If not, can you please create with the content below and restart Splunk?

[script://.\bin\get_dns_analytics.path]
disabled = 0

Troubleshooting

If you manually run the script $SPLUNK_HOME/etc/apps/TA-windnsanalytical/bin/get_dns_analytics.path does it work?

Looking at that script, I have two concerns:

  1. It is manually invoking powershell.exe as C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe It seems likely to me that you will need to update that path; you might try just Powershell (that's what some apps we've downloaded use)
  2. It references the powershell scripts as $SPLUNK_HOME\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1; is $SPLUNK_HOME defined and does that match your app name?
0 Karma

rnichols
New Member

I had to make a couple of changes to the .\TA-windnsanalytical\bin\get_dns_analytics.path file to get everything working.

  1. $SPLUNK_HOME is not set on the deployment clients, so need to specify full path to SplunkUniversalForwarder
  2. The Download tarball expands to TA-windnsanalytical not TA-WindowsDNSAnalytical

Original get_dns_analytics.path file:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& '$SPLUNK_HOME\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"

Working get_dns_analytics.path file:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-windnsanalytical\bin\get_dns_analytics.ps1'"

0 Karma

monovex
New Member

I created a local/inputs.conf file with the content you provided and restarted Splunk. I am able to run the Powershell file and it returns the expect results the console window. What I'm unclear on is do I need to setup a Script forwarder on the Splunk server to receive the data from this? When I go to add one it sees the forwarder but when I select scripts it doesn't show this script.

0 Karma

monovex
New Member

Based on the splunkd.log file it is failing on the powershell string.

01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" & : The term 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" get_dns_analytics.ps1' is not recognized as the name of a cmdlet, function, 
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" script file, or operable program. Check the spelling of the name, or if a path 
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" was included, verify that the path is correct and try again.
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" At line:1 char:3
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" + & 
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_anal 
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" ...
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" ~~~
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'""     + CategoryInfo          : ObjectNotFound: (D:\SplunkUniver...s_analytics.p 
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'""    s1:String) [], CommandNotFoundException
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'""     + FullyQualifiedErrorId : CommandNotFoundException

Is there a way I can execute the Splunk .path file manually to see where it is failing?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!