All Apps and Add-ons

Microsoft DNS Debug and monitorNoHandle


We are running Splunk Universal Forwarder 6.0.1 on Windows Server 2008 R2. We are currently only to capture the Microsoft DNS Debug logs.

We have already reviewed several posts and links, including these:

When we configure inputs.conf, with monitor we receive events BUT when the DNS Debug Log rolls, it does NOT get recreated unless we restart the DNS Server service.

sourcetype = DnsDebugLog 
crcSalt= <SOURCE>
disabled = 0 
index = ourwindns

With the above inputs.conf, we have confirmed the DNS Debug Log is successfully recreated when the log rolls, but we do NOT see any events in Splunk.

When we were experimenting, we did see it briefly work, but source = MonitorNoHandle (with monitor, source = D:\DNS\DnsDebugLog.txt). This could be expected behavior but there is not much informatiion that I could find for monitorNoHandle.

As mentioned in this post:, we attempted the sc query command and it existed in a stopped state.

Any suggestions? Any and all help appreciated.

Thanks in advance!

Tags (1)

Path Finder

I have the same problem with MonitorNoHandle for dns.log.

Did you solved it?

0 Karma


I'm having exactly the same issue.
I had before MonitorNoHandle working, with the dns log in the default path: C:\Windows\System32\dns\dns.log

However after updating the windows server (the dns server) I stopped receiving anything from this file on Splunk.
Is there any reason for this?

Anyone solved this situations?

0 Karma

New Member

option "monitor" works but "monitornohandle" doesn't work at my env too.

0 Karma

Path Finder

I think it has something to do with the file location - monitoring the dns.log file worked fine for us until we moved it to a different drive & directory. The default c:\windows\system32\dns worked fine with just regular file monitoring. I'm going to try the MonitorNoHandle and see if that works better in the new location.

0 Karma

Path Finder

What was the verdict on this? Did it work in your environment?

0 Karma

Esteemed Legend

Your configuration should work as-is but you should not use crcSalt= or you will get every log more than once (every time it rotates and gets a new name, all the contents will be indexed again). Maybe you are confused by the fact that when using monitorNoHandle on a file that already exists (as your does), Splunk does not index its current contents, but only new information that comes into the file as it gets written to.

0 Karma


1 of our 2 servers also has this in the stanza.

_TCP_ROUTING = SplunkServer

It is not working either.

0 Karma

Path Finder

did you ever solve this?

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...