I am running in to multiple DNS server having this event 3152 almost daily and the symptoms are that the DNS server was unable to open the DNS debug log file for write. I am thinking that an application has a lock on the file wile DNS is writing to it and once it reaches its quota of 500MB it removes the file but cannot write a new one. I see this as the DNS log file disapeers but DNS claims it cannot open the file to write a new log.
I have made sure that AV software is not scanning this file and taking a look at current open files on the server I notice that the Splunk the service account is the only one that has this file open. This occurs if on both Win2003 and Win2008R2 with both Universal Forwarder and using regular file monitoring via the indexer. Has anyone experienced this wile using Splunk to monitor the DNS debug file?
I know this is a 4 year old post, but we just ran into a similar issue. The solution was that the DNS log file had to be located somewhere on the C:\ drive.
Credit goes to this website for leading us to the solution: https://nxlog.co/disappearing-windows-dns-debug-log
This is happening in my environment and our DNS server are configured in write-through mode and it is still happening. I am going to attach an action to the 3152 event it logs when it is unable to create the file to restart the service. This seems to be the only way to make it recreate the file.
I found the answer in this other Splunk posting....
It seems that Splunk was the cause but M$ is the one to blame. See this link that explanes the situation and its fix action:
http://godlessheathenmemoirs.blogspot.com/2011/08/gathering-detailed-dns-debug-logs-from.html
It seems that Splunk is causing this. I have turned off indexing and DNS debug logging is working fine.
I have search around and found out I am not the only one with this problem. http://splunk-base.splunk.com/answers/27537/windows-dns-log-file-configuration-poor-syntax-for-keepi...
Also this MS article is about the same issue: http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/c48f8bbe-960b-4fbe-a56a-683038d...
Possible case are:
* check folder permission, maybe some program change change the permission.
* try open the file with some text editor (ext; notepad++) if can not open, some programs may be using that file.
* if open, try change some character, (change 1 or 2 word than save)if can not save, check elsewhere.
the splunk did not change or touch the file, just read or copy the file to the splunk server
Splunk doesn't lock any files it is monitoring. I'm not saying its impossible that Splunk is causing this but it is very unlikely.