All Apps and Add-ons

How to correctly deploy DNS analytical and diagnostic logs to capture all FQDN queries on Windows Server 2012


Long story short, I'm trying to log DNS queries (query name/FQDN and requesting host's IP) into Splunk so I can see which hosts try to resolve which FQDN's, and am trying to accomplish this via native DNS logging on Windows Server 2012 (not debug logging because it could break the DNS servers due to high traffic volume). Below is more detail/context:

I've deployed the full App for Windows Infrastructure across Splunk Enterprise as directed. There is a Domain Controller (serving DNS) running on Windows Server 2012 with the Audit and analytic event logging enabled, and I've deployed the TA_windows and TA_microsoft_dns add-ons to that server. I'm seeing DNS events coming through on the search heads, but can't find any events with actual DNS lookups (e.g., FQDN query and requesting IP) which is all I really care about for now. So, is the TA_microsoft_dns even able to grab this level of detail? Is the native Windows Server 2012 DNS logging able to do this? Per TechNet (link below) on 2012 DNS logging, I think event ID's 257-259 would contain this detail, so maybe the Server's DNS logging hasn't been setup appropriately?

Has anyone done this successfully that could help guide me through this? For more context, I've tried using Splunk Stream, but apparently the DNS server volume is too high and the Universal Forwarder can't keep up with Stream's packet capture (~10k DNS queries per second), even with maxKBs set to '0' in the limits.conf file. Thanks in advance for help anyone can offer.

TechNet Article on 2012 logging:

Esteemed Legend

Almost nobody gets DNS events from a Windows server from the logs, the smart way is to pull them off the wire with stream. Trust me: you will regret trying to do any correlations with the app logs but it will all be a BREEZE with stream:

0 Karma


Thanks for the input, we've actually tried Stream but our DNS servers (sitting on Windows machines) get too much traffic, the universal forwarder creates a bottleneck for the stream forward agent and it drops packets (even with maxKBps=0). The stand alone stream agent would likely work, but they currently only support this on Linux.

0 Karma



Were you able to send these ETL logs using universal Forwarder and Add-on ?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...