All Apps and Add-ons

Wrong time format in Microsoft DNS TA

Communicator

Hi guys,

I've posted a sample DNS log with some random data:

02/05/2018 14:15:24 1264 PACKET 0000008AE9170080 UDP Rcv 0.0.0.0 7c4d Q [0001 D NOERROR] SRV (16)kerberos-master(4)tcp(3)RANDOM(3)CA0)

We're trying to ingest these logs into Splunk which has been partially successful. We began to ingest the data, however, the timestamps are taken incorrectly.

As we are in the UK 02/05/2018 should be the 2nd of May 2018 but it's only searchable as the 5th of February 2018. We are using the Microsoft DNS TA on a UF send the data via a heavy forwarder and then to the indexers. I've tried adding the below stanza to props.conf on the UF and the heavy forwarder but still the date only shows as the American Format. Anyone got any ideas on how to fix this?

[MSAD:NT6:DNS]
TIME_FORMAT = %d/%m/%Y

The default props.conf in the DNS TA doesn't have anything relating to timestamps which is also very confusing?

Any advice would be appreciated.

Cheers!

0 Karma

SplunkTrust
SplunkTrust

Hey, what you're using looks like the "old" Microsoft DNS debug logs, where everything is written to a single file in a pretty terrible format.
The Windows DNS TA however refers in it's installation instructions to this microsoft article, which tells you that you need either Windows Server 2012R2 or 2016, and requires a certain hotfix installed in case of 2012R2.

So, you gotta follow that article, enable the proper logging, and the TA will then work with that data. The older debug style logs are not supported by the TA and are actually quite terrible 😉

Edit:

You're right - the regexes match the old debug log style, but the linked article in the installation manual points to the new method.
Whatever, if it works for you, let's try the timestamp recognition.

TIME_FORMAT = %d/%m/%Y %H:%M:%S

This also includes the time, maybe this works better. The timestamp you get is a common format, also in the US day + month are twisted. Splunk recognizes such timestamps by default, so no configuration is needed, and therefore you don't see it in the TA's default props.conf. BTW, this config should go on the first HF/indexer the data goes to.

If this doesn't work out, please run this on the CLI:
/opt/splunk/bin/splunk btool props list MSAD:NT6:DNS --debug and post the output as a comment here.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma

Communicator

Hi xpac,

Thanks for trying to help but I don't think theres anything wrong with the log format. I think changing the logging settings on multiple domain controllers would be harder than just figuring out how to fix this timestamp issue.The TA deals with all field extractions fine, it's only failing on the timestamp.

Thanks!

0 Karma

SplunkTrust
SplunkTrust

We're you able to try this?

0 Karma

SplunkTrust
SplunkTrust

I updated my first answer, please check it out.

0 Karma