All Apps and Add-ons

Why are the EventType Reference Missing for wineventlog-dns in Splunk App for Windows Infrastructure version 1.4.2 and 1.4.3?

Path Finder

Error Running in Search and Reporting App:

[] Eventtype 'wineventlog-dns' does not exist or is disabled.
[] Eventtype 'wineventlog-dns' does not exist or is disabled.

Extra info: I'm in a distributed Splunk environment. However, I'm not using indexer clustering.

Grepped eventtypes:

[splunk@splunk-dev-1 etc]# vi apps/splunk_app_windows_infrastructure/default/eventtypes.conf 

search = ((eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security) (Type=Warning OR Type=Error) DNS) OR (*eventtype=wineventlog-dns* (Type=Warning OR Type=Error))

Full EventTypes File:

--- AD and DNS eventtypes

search = eventtype=wineventlog_security EventCode=4740

search = eventtype=wineventlog_security EventCode=4767

search = eventtype=wineventlog_security EventCode=4662

search = (eventtype=msad-group-changes OR eventtype=msad-groupmembership-changes OR eventtype=msad-computer-changes OR eventtype=msad-user-changes OR eventtype=msad-account-lockout OR eventtype=msad-account-unlock) user!="*$" src_user!="*$"

search = eventtype=msad-security-anomalous-events OR eventtype=msad-dirsvcs-anomalous-events

search = eventtype=wineventlog_security (EventCode=4741 OR EventCode=4742 OR EventCode=4743)

search = eventtype=wineventlog-ds (Type=Error OR Type=Warning OR EventCode=1458)

search = eventtype=wineventlog_security EventCode=4625 (Status=0xC000006E OR Status=0xC0000072 OR Status=0xC0000193)

search = ((eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security) (Type=Warning OR Type=Error) DNS) OR (eventtype=wineventlog-dns (Type=Warning OR Type=Error))

search = eventtype=wineventlog_security EventCode=4625 user="*$"

search = eventtype=wineventlog_security (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) Keywords="Audit Failure")) user!="*$"

search = eventtype=wineventlog_security (EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764)

search = eventtype=wineventlog_security (EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4746 OR EventCode=4747 OR EventCode=4751 OR EventCode=4752 OR EventCode=4756 OR EventCode=4757 OR EventCode=4761 OR EventCode=4762)

search = eventtype=wineventlog_security (EventCode=4723 OR EventCode=4724)

search = eventtype=wineventlog-ds (EventCode=1014 OR EventCode=1083 OR EventCode=1084 OR EventCode=1203 OR EventCode=1307 OR EventCode=1308 OR EventCode=1311 OR EventCode=1566 OR EventCode=1699 OR EventCode=1800 OR EventCode=1801 OR EventCode=1865 OR EventCode=1925 OR EventCode=1926 OR EventCode=1988 OR EventCode=2087 OR EventCode=2088)

search = eventtype=wineventlog_security (Type=Error OR Type=Warning OR EventCode=512 OR EventCode=513 OR EventCode=516 OR EventCode=517 OR EventCode=1100 OR EventCode=1101 OR EventCode=1102 OR EventCode=1104 OR EventCode=4609 OR EventCode=4612 OR EventCode=1621)

search = eventtype=wineventlog_security EventCode=4624 user="*$"

search = eventtype=wineventlog_security EventCode=4624 user!="*$"

search = eventtype=wineventlog_security (EventCode=4720 OR EventCode=4722 OR EventCode=4724 OR EventCode=4725 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4912) user!="*$"

Windows eventtypes

search = sourcetype="*:System" "Installation Successful"

search = sourcetype="*:System" "Installation Failure"

search = sourcetype="WindowsUpdateLog" "Content Install" "Installation Successful"

search = sourcetype="WindowsUpdateLog" Failure "Content Install" "Installation Failure"

search = eventtype=eventlog_Update_Successful OR eventtype=updatelog_Update_Successful

search = eventtype=eventlog_Update_Failed OR eventtype=updatelog_Update_Failed

search = \
    ( \
        sourcetype="WinEventLog*" OR sourcetype="XmlWinEventLog*" \
            (Type="*Error*" OR Type="*Fail*" OR EventCode=1074 OR EventCode=19 OR \
            EventCode=20 OR EventCode=21 OR Eventcode=1001) \
    ) OR \
    ( \
        sourcetype="WindowsUpdateLog" (status="installed" OR \
            status="failure" OR status="restart required") \

description = This event type identifies key events on a host machine running Windows. \
Key events are defined as most commonly occurring scenarios on a Windows host that \
may require immediate attention or may explain issues seen on a host. hence the \
events collected by this event type include the following: \
1. Windows event log events from the System, Application or Security event log \
that indicate errors. \
2. Windows system event log event with event code 1074 for system reboots. Event codes \
600*s although useful in detecting the reboots of the event log itself are useful, \
they have been known to be noisy in reality and so excluded from this event type. \
3. Windows update event log events with event codes 19, 20 or 21 for installs, \
failures and required reboot scenarios. \
4. Windows update log actions indicating install, failure or install requiring reboots. \
Note: since event types dont support append command, we OR the source types.

1 Solution

Path Finder

Solved the problem:

Install on the universal forwarders for DC's/Print Servers/etc.
Install on UF's, like above, and Indexers, and searchheads.

View solution in original post

0 Karma


Nothing from what you posted was legible or comprehensible. This is an utterly useless post to anybody who views it.

Path Finder

Solved the problem:

Install on the universal forwarders for DC's/Print Servers/etc.
Install on UF's, like above, and Indexers, and searchheads.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...