I set up a test environment with a Windows 2012 R2 server with the DNS server role, and was able to successfully install TA-DNSServer-NT6 (as per the instructions at http://docs.splunk.com/Documentation/MSApp/1.1.2/MSInfra/DownloadandconfiguretheSplunkAdd-onsforWind... ).
However, I was very surprised to discover two things:
tag=dnscame up empty even though there are DNS events and the Splunk App for Windows Infrastructure "DNS: Top Requested Queries" report is being populated. Here is an example:
For one, I would have expected to see tags with
dns values as per the CIM documentation.
Can anyone else with a working installation of the DNS debug log collection confirm whether this field is populated for them? Did I make some mistake in the setup or is this a limitation of the app?
That might be an alternative, yes. Just keep in mind it's not using the DNS debug logs though, instead it uses new DNS logging functionality Microsoft introduced in 2012r2.
Bummer. I'd never seen a DNS record with a (null) value before, so discard the
SEDCMD-win_dns = s/\(\d+\)/./g attribute from the props.conf. I wonder how Enterprise Security Suite reacts to these funky looking records in Windows DNS logs.