All Apps and Add-ons

Problem monitoring DNS log file

kmcconnell
Path Finder

I’m having an issue monitoring the DNS debug log file from our DNS servers. I know that everything is setup correctly cause it will pull some events, but then will have a few hours or days in between where it don’t pull anything. I’ve found a few posts where people seem to have similar issues, but not quite the same. From what I’ve read, it appears that the DNS server holds onto the file until the buffer fills (8K) and then writes to the disk. I’m wondering if that is the issue, but there is very little information around this topic that I’ve found.

Has anyone run into this issue before with their DNS log files (or the same issue with a different source type)?


Update:
It's still not fixed, but I found the following on the Splunk site that I thought I'd try.

Why use monitorNoHandle?

This Windows-only input allows you to read files on Windows systems as Windows writes to them. It does this by using a kernel-mode filter driver to capture raw data as it gets written to the file. Use this input stanza on files which get locked open for writing. You can use this input stanza on a file which the system locks open for writing, such as the Windows DNS server log file.

Link to Splunk documentation

My inputs.conf stanza is below:

[monitorNoHandle://D:\DNSLogs\DNS.log]
sourcetype=MSAD:NT6:DNS
disabled=false
index=msad


Update2:
The "monitorNoHandle" file monitor didn't work for me. I'm thinking that this may be a 6.0 new feature, but it's not explained very well. I've entered a support ticket for the issue. Is no one able to pull in Windows DNS logs (reliably)?

ajacobi
Path Finder

monitorNoHandle didn't work at all for me so i tried MonitorNoHandle. I then got the following errors:

GetServiceHandle - OpenService failure for 'SplunkMonitorNoHandle'! Error = 1060
GetServiceHandle - OpenService failure for 'SplunkMonitorNoHandle'! Error = 1060
runWinMonitorNoHandleMon: Could not connect to filter driver 0x80070002
runWinMonitorNoHandleMon: Could not connect to filter driver 0x80070002
runWinMonitorNoHandleMon: Could not connect to filter driver 0x80070002
DisplayError: The system cannot find the file specified.\r\n
DisplayError: The system cannot find the file specified.\r\n
GetServiceHandle - OpenService failure for 'SplunkMonitorNoHandle'! Error = 1060
GetServiceHandle - OpenService failure for 'SplunkMonitorNoHandle'! Error = 1060
GetServiceHandle - OpenService failure for 'SplunkMonitorNoHandle'! Error = 1060
StopDriver: Failed to get service handle 0x424
StopDriver: Failed to get service handle 0x424

There is a file called SplunkMonitorNoHandledrv.inf in the bin directory. After i installed the file the errors were resolved and i was able to successfully monitor the DNS debug file

splunkranger
Path Finder

Are you monitoring over a remote network share or locally?

0 Karma

tlay
Explorer

I know this is an old post...but just trying to get in to the MontorNoHandle running for DNS Debugging and I saw a mention that the driver needs to be installed (even with the latest version) _if_ you installed the Universal Forwarder from a zip file.  I suspect that may be related to some of the other issues that are in Answers that have been sitting out there.

https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/InstallaWindowsuniversalforwarderfro...

-Tony

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!