All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Windows DNS debug logs TA not using CIM fields?

asieira
Path Finder
‎05-20-2015 11:14 AM

I set up a test environment with a Windows 2012 R2 server with the DNS server role, and was able to successfully install TA-DNSServer-NT6 (as per the instructions at http://docs.splunk.com/Documentation/MSApp/1.1.2/MSInfra/DownloadandconfiguretheSplunkAdd-onsforWind... ).

However, I was very surprised to discover two things:

  • The DNS packet data (which contains the actual replies, such as the IP addresses a hostname resolved to in a A query) was not being parsed, and in fact generated "incomplete" alerts with each packet line as in this example:

alt text

  • The summary lines were being correctly parsed, but the corresponding CIM fields (http://docs.splunk.com/Documentation/CIM/4.2.0/User/NetworkResolutionDNS ) were not extracted. For example, a query for tag=dns came up empty even though there are DNS events and the Splunk App for Windows Infrastructure "DNS: Top Requested Queries" report is being populated. Here is an example:

alt text

For one, I would have expected to see tags with network, resolution and dns values as per the CIM documentation.

Can anyone else with a working installation of the DNS debug log collection confirm whether this field is populated for them? Did I make some mistake in the setup or is this a limitation of the app?

Preview file
48 KB
Preview file
108 KB
Reply
1 Solution
Solved! Jump to solution
Solution

asieira
Path Finder
‎06-24-2015 07:59 AM

So it turns out that the latest available version of the app claims support to CIM 4.0. And the Network Resolution (DNS) data model didn't show up until CIM 4.1.0 was released around 6 months ago.

So apparently it's a documented current limitation of the app. Oh, well.

View solution in original post

Reply
Solved! Jump to solution

asieira
Path Finder
‎11-11-2015 03:58 AM

That might be an alternative, yes. Just keep in mind it's not using the DNS debug logs though, instead it uses new DNS logging functionality Microsoft introduced in 2012r2.

0 Karma
Reply
Solved! Jump to solution

asieira
Path Finder
‎11-10-2015 03:19 AM

Do you have a link for it? Might be helpful for people that read this thread later on.

0 Karma
Reply
Solved! Jump to solution

mikaelbje
Motivator
‎08-24-2015 04:46 AM

Bummer. I'd never seen a DNS record with a (null) value before, so discard the SEDCMD-win_dns = s/\(\d+\)/./g attribute from the props.conf. I wonder how Enterprise Security Suite reacts to these funky looking records in Windows DNS logs.

0 Karma
Reply
Solved! Jump to solution
Solution

asieira
Path Finder
‎06-24-2015 07:59 AM

So it turns out that the latest available version of the app claims support to CIM 4.0. And the Network Resolution (DNS) data model didn't show up until CIM 4.1.0 was released around 6 months ago.

So apparently it's a documented current limitation of the app. Oh, well.

Reply
Solved! Jump to solution

mikaelbje
Motivator
‎08-19-2015 03:11 AM

Perhaps time for someone to update the app ...

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...