All Apps and Add-ons

How to edit inputs.conf to forward Windows Server 2012 DNS analytical logs to Splunk?

war_llama
Explorer

We are trying to Splunk our DNS logging for Windows Server 2012 R2, but cannot get the analytical log forwarded. We followed the directions on the Microsoft technet website to download the hotfix and enable analytical logging. We can the events in our event log. We downloaded the Splunk App for Windows Infrastructure and the Splunk Add-on for Microsoft Windows DNS. We are able to see Perfmon:DNS events, just not the analytical logs. Our inputs stanza for debug logging is as below:

# DNS Debug Logging
#
[MonitorNoHandle://c:\Windows\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl]
sourcetype=MSAD:NT6:DNS
disabled=false
index=msad 

Any help would be appreciated! Thank you!

1 Solution

war_llama
Explorer

Yes, we have got it working - in the lab.

In Windows Server 2012, the analytical log was changed from a text-based .evtx file to a binary .etl file. This binary file cannot be read by the Splunk Universal Forwarder. Unfortunately, the documentation on the Splunk website does NOT let you know that their official instructions only work for Windows Server 2008 and before.

We got it working (at least in the lab) by using the community add-on at this link --> https://splunkbase.splunk.com/app/2937/

It uses a powershell script to read the .etl file every minute. Unfortunately, it does not work out-of-the-box. You have to fix the paths! I don't remember what exactly the paths were, but I found the second reply to this post -->https://answers.splunk.com/answers/339934/can-the-windows-dns-analytical-and-diagnostic-logs.html

I have copy pasted the post below:

 I had to make a couple of changes to the .\TS-windnsanalytical\bin\get_dns_analytics.path file to get everything to work:
 $SPLUNK_HOME is not set on the deployment client, so need to explicitly add the full path to SplunkUniversalForwarder.
 Also, the Download tarball expands to TA-windnsanalytical not TA-WindowsDNSAnalytical
 Original get_dns_analytics.path file:
 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& '$SPLUNK_HOME\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"
 Working get_dns_analytics.path file:
 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-windnsanalytical\bin\get_dns_analytics.ps1'" and it looks about right.

Hope this helps!

View solution in original post

tonyxavierj
Engager

I am not able to get this working
Can someone help, a step by step walk through

0 Karma

war_llama
Explorer

Yes, we have got it working - in the lab.

In Windows Server 2012, the analytical log was changed from a text-based .evtx file to a binary .etl file. This binary file cannot be read by the Splunk Universal Forwarder. Unfortunately, the documentation on the Splunk website does NOT let you know that their official instructions only work for Windows Server 2008 and before.

We got it working (at least in the lab) by using the community add-on at this link --> https://splunkbase.splunk.com/app/2937/

It uses a powershell script to read the .etl file every minute. Unfortunately, it does not work out-of-the-box. You have to fix the paths! I don't remember what exactly the paths were, but I found the second reply to this post -->https://answers.splunk.com/answers/339934/can-the-windows-dns-analytical-and-diagnostic-logs.html

I have copy pasted the post below:

 I had to make a couple of changes to the .\TS-windnsanalytical\bin\get_dns_analytics.path file to get everything to work:
 $SPLUNK_HOME is not set on the deployment client, so need to explicitly add the full path to SplunkUniversalForwarder.
 Also, the Download tarball expands to TA-windnsanalytical not TA-WindowsDNSAnalytical
 Original get_dns_analytics.path file:
 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& '$SPLUNK_HOME\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"
 Working get_dns_analytics.path file:
 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-windnsanalytical\bin\get_dns_analytics.ps1'" and it looks about right.

Hope this helps!

war_llama
Explorer

I'm no Splunk admin, but my guess would be you need to configure line breaking for that sourcetype in your Props.conf?

0 Karma

fmfx1001
Explorer

Thanks. I spoke to the developer of the "Windows DNS Analytical and Diagnostic Logs" app and they abandoned this project "due to constantly running into issues with trying to capture DNS logs via the recommended Microsoft methods." He suggested that I try Splunk Stream to capture DNS traffic and ingest it into Splunk.

I only have Splunk Light in my lab so I guess I will try and figure out another way of ingesting logs into a SIEM for analysis.

0 Karma

fmfx1001
Explorer

Thanks for your reply. I appreciate it.

I did tinker with the "Windows DNS Analytical and Diagnostic Logs" app earlier but couldn't get it working. I will try the edits you mentioned and let you know how it goes.

May I ask if you currently have a Windows Server sending logs to Splunk after testing it in the lab and, if so, which version of Windows and which app are you using?

I'm exploring options to send Win Server DNS logs to Splunk for analysis by a security team. Thanks again

0 Karma

war_llama
Explorer

To troubleshoot that app, try manually running the powershell script to make sure it is pointing to the log and reading it correctly. That's how we found some of the pathing problems. After making sure the powershell script is working properly, check your configs to make sure their paths are correct.

We haven't moved it out of the lab yet - although it's sending logs to our Splunk test environment. We are working on some filtering rules for the indexer. It's running Windows Server 2012 R2, and we have installed both the app that I linked as well as the official app and add-on.

I hope it works for you! We are exploring similar use cases, would love to hear how it works for you & your security team.

0 Karma

fmfx1001
Explorer

I tried doing what you suggested and the events are arriving in Splunk. The logs aren't being parsed though. Are you seeing the same issue?

Link to screen shot: https://www.dropbox.com/sh/4bzr3povr1vvdup/AADJ5reVFj-n1vQFQoXJWfOta?dl=0

Here is the contents of the file, C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-windnsanalytical\bin\get_dns_analytics.path

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-windnsanalytical\bin\get_dns_analytics.ps1'"

No errors seen in splunkd.log on the Windows Server.

I copied the app to the /opt/splunk/etc/apps/ folder on the Ubuntu server and restarted both the server and the client. Any ideas?

0 Karma

fmfx1001
Explorer

Did you figure out the answer to your question? I am experiencing the same issue.

I can see event logs from the Windows Server 2012 R2 host in Splunk.

I cannot see any DNS logs in Splunk after installing the app on both the Splunk server and the Win server. I enabled the DNS logging on the Win server using the steps here: https://technet.microsoft.com/en-us/library/dn800669.aspx#dbug

I can see the DNS events being logged in "C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl" and I can see this log file growing in size (over 512 KB right now).

Here is the output of the inputs.conf file, on the Win server (C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft_dns\default\inputs.conf).

# DNS Debug Logging
#
# Originally configured line: [MonitorNoHandle://C:\Windows\System32\Dns\dns.log]
# Changing to the following to test if logs are forwarded to Splunk:
[MonitorNoHandle://c:\Windows\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl]
sourcetype=MSAD:NT6:DNS
disabled=false
index=msad

Thanks in advance for any help.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...