We are trying to Splunk our DNS logging for Windows Server 2012 R2, but cannot get the analytical log forwarded. We followed the directions on the Microsoft technet website to download the hotfix and enable analytical logging. We can the events in our event log. We downloaded the Splunk App for Windows Infrastructure and the Splunk Add-on for Microsoft Windows DNS. We are able to see Perfmon:DNS events, just not the analytical logs. Our inputs stanza for debug logging is as below:
# DNS Debug Logging
#
[MonitorNoHandle://c:\Windows\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl]
sourcetype=MSAD:NT6:DNS
disabled=false
index=msad
Any help would be appreciated! Thank you!
Yes, we have got it working - in the lab.
In Windows Server 2012, the analytical log was changed from a text-based .evtx file to a binary .etl file. This binary file cannot be read by the Splunk Universal Forwarder. Unfortunately, the documentation on the Splunk website does NOT let you know that their official instructions only work for Windows Server 2008 and before.
We got it working (at least in the lab) by using the community add-on at this link --> https://splunkbase.splunk.com/app/2937/
It uses a powershell script to read the .etl file every minute. Unfortunately, it does not work out-of-the-box. You have to fix the paths! I don't remember what exactly the paths were, but I found the second reply to this post -->https://answers.splunk.com/answers/339934/can-the-windows-dns-analytical-and-diagnostic-logs.html
I have copy pasted the post below:
I had to make a couple of changes to the .\TS-windnsanalytical\bin\get_dns_analytics.path file to get everything to work:
$SPLUNK_HOME is not set on the deployment client, so need to explicitly add the full path to SplunkUniversalForwarder.
Also, the Download tarball expands to TA-windnsanalytical not TA-WindowsDNSAnalytical
Original get_dns_analytics.path file:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& '$SPLUNK_HOME\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"
Working get_dns_analytics.path file:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-windnsanalytical\bin\get_dns_analytics.ps1'" and it looks about right.
Hope this helps!
I am not able to get this working
Can someone help, a step by step walk through
Yes, we have got it working - in the lab.
In Windows Server 2012, the analytical log was changed from a text-based .evtx file to a binary .etl file. This binary file cannot be read by the Splunk Universal Forwarder. Unfortunately, the documentation on the Splunk website does NOT let you know that their official instructions only work for Windows Server 2008 and before.
We got it working (at least in the lab) by using the community add-on at this link --> https://splunkbase.splunk.com/app/2937/
It uses a powershell script to read the .etl file every minute. Unfortunately, it does not work out-of-the-box. You have to fix the paths! I don't remember what exactly the paths were, but I found the second reply to this post -->https://answers.splunk.com/answers/339934/can-the-windows-dns-analytical-and-diagnostic-logs.html
I have copy pasted the post below:
I had to make a couple of changes to the .\TS-windnsanalytical\bin\get_dns_analytics.path file to get everything to work:
$SPLUNK_HOME is not set on the deployment client, so need to explicitly add the full path to SplunkUniversalForwarder.
Also, the Download tarball expands to TA-windnsanalytical not TA-WindowsDNSAnalytical
Original get_dns_analytics.path file:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& '$SPLUNK_HOME\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"
Working get_dns_analytics.path file:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-windnsanalytical\bin\get_dns_analytics.ps1'" and it looks about right.
Hope this helps!
I'm no Splunk admin, but my guess would be you need to configure line breaking for that sourcetype in your Props.conf?
Thanks. I spoke to the developer of the "Windows DNS Analytical and Diagnostic Logs" app and they abandoned this project "due to constantly running into issues with trying to capture DNS logs via the recommended Microsoft methods." He suggested that I try Splunk Stream to capture DNS traffic and ingest it into Splunk.
I only have Splunk Light in my lab so I guess I will try and figure out another way of ingesting logs into a SIEM for analysis.
Thanks for your reply. I appreciate it.
I did tinker with the "Windows DNS Analytical and Diagnostic Logs" app earlier but couldn't get it working. I will try the edits you mentioned and let you know how it goes.
May I ask if you currently have a Windows Server sending logs to Splunk after testing it in the lab and, if so, which version of Windows and which app are you using?
I'm exploring options to send Win Server DNS logs to Splunk for analysis by a security team. Thanks again
To troubleshoot that app, try manually running the powershell script to make sure it is pointing to the log and reading it correctly. That's how we found some of the pathing problems. After making sure the powershell script is working properly, check your configs to make sure their paths are correct.
We haven't moved it out of the lab yet - although it's sending logs to our Splunk test environment. We are working on some filtering rules for the indexer. It's running Windows Server 2012 R2, and we have installed both the app that I linked as well as the official app and add-on.
I hope it works for you! We are exploring similar use cases, would love to hear how it works for you & your security team.
I tried doing what you suggested and the events are arriving in Splunk. The logs aren't being parsed though. Are you seeing the same issue?
Link to screen shot: https://www.dropbox.com/sh/4bzr3povr1vvdup/AADJ5reVFj-n1vQFQoXJWfOta?dl=0
Here is the contents of the file, C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-windnsanalytical\bin\get_dns_analytics.path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-windnsanalytical\bin\get_dns_analytics.ps1'"
No errors seen in splunkd.log on the Windows Server.
I copied the app to the /opt/splunk/etc/apps/ folder on the Ubuntu server and restarted both the server and the client. Any ideas?
Did you figure out the answer to your question? I am experiencing the same issue.
I can see event logs from the Windows Server 2012 R2 host in Splunk.
I cannot see any DNS logs in Splunk after installing the app on both the Splunk server and the Win server. I enabled the DNS logging on the Win server using the steps here: https://technet.microsoft.com/en-us/library/dn800669.aspx#dbug
I can see the DNS events being logged in "C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl" and I can see this log file growing in size (over 512 KB right now).
Here is the output of the inputs.conf file, on the Win server (C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft_dns\default\inputs.conf).
# DNS Debug Logging
#
# Originally configured line: [MonitorNoHandle://C:\Windows\System32\Dns\dns.log]
# Changing to the following to test if logs are forwarded to Splunk:
[MonitorNoHandle://c:\Windows\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl]
sourcetype=MSAD:NT6:DNS
disabled=false
index=msad
Thanks in advance for any help.