All Apps and Add-ons

Microsoft DNS Debug and monitorNoHandle


We are running Splunk Universal Forwarder 6.0.1 on Windows Server 2008 R2. We are currently only to capture the Microsoft DNS Debug logs.

We have already reviewed several posts and links, including these:

When we configure inputs.conf, with monitor we receive events BUT when the DNS Debug Log rolls, it does NOT get recreated unless we restart the DNS Server service.

sourcetype = DnsDebugLog 
crcSalt= <SOURCE>
disabled = 0 
index = ourwindns

With the above inputs.conf, we have confirmed the DNS Debug Log is successfully recreated when the log rolls, but we do NOT see any events in Splunk.

When we were experimenting, we did see it briefly work, but source = MonitorNoHandle (with monitor, source = D:\DNS\DnsDebugLog.txt). This could be expected behavior but there is not much informatiion that I could find for monitorNoHandle.

As mentioned in this post:, we attempted the sc query command and it existed in a stopped state.

Any suggestions? Any and all help appreciated.

Thanks in advance!

Tags (1)

Path Finder

I have the same problem with MonitorNoHandle for dns.log.

Did you solved it?

0 Karma


I'm having exactly the same issue.
I had before MonitorNoHandle working, with the dns log in the default path: C:\Windows\System32\dns\dns.log

However after updating the windows server (the dns server) I stopped receiving anything from this file on Splunk.
Is there any reason for this?

Anyone solved this situations?

0 Karma

New Member

option "monitor" works but "monitornohandle" doesn't work at my env too.

0 Karma

Path Finder

I think it has something to do with the file location - monitoring the dns.log file worked fine for us until we moved it to a different drive & directory. The default c:\windows\system32\dns worked fine with just regular file monitoring. I'm going to try the MonitorNoHandle and see if that works better in the new location.

0 Karma

Path Finder

What was the verdict on this? Did it work in your environment?

0 Karma

Esteemed Legend

Your configuration should work as-is but you should not use crcSalt= or you will get every log more than once (every time it rotates and gets a new name, all the contents will be indexed again). Maybe you are confused by the fact that when using monitorNoHandle on a file that already exists (as your does), Splunk does not index its current contents, but only new information that comes into the file as it gets written to.

0 Karma


1 of our 2 servers also has this in the stanza.

_TCP_ROUTING = SplunkServer

It is not working either.

0 Karma

Path Finder

did you ever solve this?

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...