Getting Data In

Can Splunk cause DNS logs Event 3152?

Mannyi31
Explorer

I am running in to multiple DNS server having this event 3152 almost daily and the symptoms are that the DNS server was unable to open the DNS debug log file for write. I am thinking that an application has a lock on the file wile DNS is writing to it and once it reaches its quota of 500MB it removes the file but cannot write a new one. I see this as the DNS log file disapeers but DNS claims it cannot open the file to write a new log.

I have made sure that AV software is not scanning this file and taking a look at current open files on the server I notice that the Splunk the service account is the only one that has this file open. This occurs if on both Win2003 and Win2008R2 with both Universal Forwarder and using regular file monitoring via the indexer. Has anyone experienced this wile using Splunk to monitor the DNS debug file?

Tags (2)
0 Karma

54638
Explorer

I know this is a 4 year old post, but we just ran into a similar issue. The solution was that the DNS log file had to be located somewhere on the C:\ drive.

Credit goes to this website for leading us to the solution: https://nxlog.co/disappearing-windows-dns-debug-log

JeremyHagan
Communicator

This is happening in my environment and our DNS server are configured in write-through mode and it is still happening. I am going to attach an action to the 3152 event it logs when it is unable to create the file to restart the service. This seems to be the only way to make it recreate the file.

0 Karma

realdridgespl
Explorer
0 Karma

Mannyi31
Explorer

It seems that Splunk was the cause but M$ is the one to blame. See this link that explanes the situation and its fix action:
http://godlessheathenmemoirs.blogspot.com/2011/08/gathering-detailed-dns-debug-logs-from.html

0 Karma

Mannyi31
Explorer

It seems that Splunk is causing this. I have turned off indexing and DNS debug logging is working fine.

I have search around and found out I am not the only one with this problem. http://splunk-base.splunk.com/answers/27537/windows-dns-log-file-configuration-poor-syntax-for-keepi...

Also this MS article is about the same issue: http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/c48f8bbe-960b-4fbe-a56a-683038d...

0 Karma

hadirs
New Member

Possible case are:
* check folder permission, maybe some program change change the permission.
* try open the file with some text editor (ext; notepad++) if can not open, some programs may be using that file.
* if open, try change some character, (change 1 or 2 word than save)if can not save, check elsewhere.

the splunk did not change or touch the file, just read or copy the file to the splunk server

0 Karma

Drainy
Champion

Splunk doesn't lock any files it is monitoring. I'm not saying its impossible that Splunk is causing this but it is very unlikely.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...