We are running Splunk Universal Forwarder 6.0.1 on Windows Server 2008 R2. We are currently only to capture the Microsoft DNS Debug logs.
We have already reviewed several posts and links, including these:
answers.splunk.com/answers/35259/best-method-for-pulling-microsoft-dns-logs-with-splunk?page=1&focusedAnswerId=37702#37702
stratumsecurity.com/2012/07/03/splunk-security/ godlessheathenmemoirs.blogspot.com/2011/08/gathering-detailed-dns-debug-logs-from.html
godlessheathenmemoirs.blogspot.com/2013/07/dns-log-timestamps-and-splunk-revisited_16.html
When we configure inputs.conf, with monitor we receive events BUT when the DNS Debug Log rolls, it does NOT get recreated unless we restart the DNS Server service.
[monitorNoHandle://D:\DNS\DnsDebugLog.txt]
sourcetype = DnsDebugLog
crcSalt= <SOURCE>
disabled = 0
index = ourwindns
With the above inputs.conf, we have confirmed the DNS Debug Log is successfully recreated when the log rolls, but we do NOT see any events in Splunk.
When we were experimenting, we did see it briefly work, but source = MonitorNoHandle (with monitor, source = D:\DNS\DnsDebugLog.txt). This could be expected behavior but there is not much informatiion that I could find for monitorNoHandle.
As mentioned in this post: answers.splunk.com/answers/104407/windows-7-32-bit-install-of-splunk-6, we attempted the sc query command and it existed in a stopped state.
Any suggestions? Any and all help appreciated.
Thanks in advance!
I have the same problem with MonitorNoHandle for dns.log.
Did you solved it?
I'm having exactly the same issue.
I had before MonitorNoHandle working, with the dns log in the default path: C:\Windows\System32\dns\dns.log
However after updating the windows server (the dns server) I stopped receiving anything from this file on Splunk.
Is there any reason for this?
Anyone solved this situations?
option "monitor" works but "monitornohandle" doesn't work at my env too.
I think it has something to do with the file location - monitoring the dns.log file worked fine for us until we moved it to a different drive & directory. The default c:\windows\system32\dns worked fine with just regular file monitoring. I'm going to try the MonitorNoHandle and see if that works better in the new location.
What was the verdict on this? Did it work in your environment?
Your configuration should work as-is but you should not use crcSalt=
or you will get every log more than once (every time it rotates and gets a new name, all the contents will be indexed again). Maybe you are confused by the fact that when using monitorNoHandle
on a file that already exists (as your does), Splunk does not index its current contents, but only new information that comes into the file as it gets written to.
1 of our 2 servers also has this in the stanza.
_TCP_ROUTING = SplunkServer
It is not working either.
did you ever solve this?