Getting Data In

Can Splunk cause DNS logs Event 3152?

Mannyi31
Explorer

I am running in to multiple DNS server having this event 3152 almost daily and the symptoms are that the DNS server was unable to open the DNS debug log file for write. I am thinking that an application has a lock on the file wile DNS is writing to it and once it reaches its quota of 500MB it removes the file but cannot write a new one. I see this as the DNS log file disapeers but DNS claims it cannot open the file to write a new log.

I have made sure that AV software is not scanning this file and taking a look at current open files on the server I notice that the Splunk the service account is the only one that has this file open. This occurs if on both Win2003 and Win2008R2 with both Universal Forwarder and using regular file monitoring via the indexer. Has anyone experienced this wile using Splunk to monitor the DNS debug file?

Tags (2)
0 Karma

54638
Explorer

I know this is a 4 year old post, but we just ran into a similar issue. The solution was that the DNS log file had to be located somewhere on the C:\ drive.

Credit goes to this website for leading us to the solution: https://nxlog.co/disappearing-windows-dns-debug-log

JeremyHagan
Communicator

This is happening in my environment and our DNS server are configured in write-through mode and it is still happening. I am going to attach an action to the 3152 event it logs when it is unable to create the file to restart the service. This seems to be the only way to make it recreate the file.

0 Karma

realdridgespl
Explorer
0 Karma

Mannyi31
Explorer

It seems that Splunk was the cause but M$ is the one to blame. See this link that explanes the situation and its fix action:
http://godlessheathenmemoirs.blogspot.com/2011/08/gathering-detailed-dns-debug-logs-from.html

0 Karma

Mannyi31
Explorer

It seems that Splunk is causing this. I have turned off indexing and DNS debug logging is working fine.

I have search around and found out I am not the only one with this problem. http://splunk-base.splunk.com/answers/27537/windows-dns-log-file-configuration-poor-syntax-for-keepi...

Also this MS article is about the same issue: http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/c48f8bbe-960b-4fbe-a56a-683038d...

0 Karma

hadirs
New Member

Possible case are:
* check folder permission, maybe some program change change the permission.
* try open the file with some text editor (ext; notepad++) if can not open, some programs may be using that file.
* if open, try change some character, (change 1 or 2 word than save)if can not save, check elsewhere.

the splunk did not change or touch the file, just read or copy the file to the splunk server

0 Karma

Drainy
Champion

Splunk doesn't lock any files it is monitoring. I'm not saying its impossible that Splunk is causing this but it is very unlikely.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!