Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can Splunk cause DNS logs Event 3152?

Mannyi31
Explorer
‎01-11-2012 05:09 AM

I am running in to multiple DNS server having this event 3152 almost daily and the symptoms are that the DNS server was unable to open the DNS debug log file for write. I am thinking that an application has a lock on the file wile DNS is writing to it and once it reaches its quota of 500MB it removes the file but cannot write a new one. I see this as the DNS log file disapeers but DNS claims it cannot open the file to write a new log.

I have made sure that AV software is not scanning this file and taking a look at current open files on the server I notice that the Splunk the service account is the only one that has this file open. This occurs if on both Win2003 and Win2008R2 with both Universal Forwarder and using regular file monitoring via the indexer. Has anyone experienced this wile using Splunk to monitor the DNS debug file?

Tags (2)
0 Karma
Reply

54638
Explorer
‎08-17-2017 01:51 PM

I know this is a 4 year old post, but we just ran into a similar issue. The solution was that the DNS log file had to be located somewhere on the C:\ drive.

Credit goes to this website for leading us to the solution: https://nxlog.co/disappearing-windows-dns-debug-log

Reply

JeremyHagan
Communicator
‎11-03-2013 04:03 PM

This is happening in my environment and our DNS server are configured in write-through mode and it is still happening. I am going to attach an action to the 3152 event it logs when it is unable to create the file to restart the service. This seems to be the only way to make it recreate the file.

0 Karma
Reply

realdridgespl
Explorer
‎06-11-2013 08:36 AM

I found the answer in this other Splunk posting....

http://splunk-base.splunk.com/answers/27537/windows-dns-log-file-configuration-poor-syntax-for-keepi...

0 Karma
Reply

Mannyi31
Explorer
‎01-17-2012 05:38 AM

It seems that Splunk was the cause but M$ is the one to blame. See this link that explanes the situation and its fix action:
http://godlessheathenmemoirs.blogspot.com/2011/08/gathering-detailed-dns-debug-logs-from.html

0 Karma
Reply

Mannyi31
Explorer
‎01-17-2012 05:14 AM

It seems that Splunk is causing this. I have turned off indexing and DNS debug logging is working fine.

I have search around and found out I am not the only one with this problem. http://splunk-base.splunk.com/answers/27537/windows-dns-log-file-configuration-poor-syntax-for-keepi...

Also this MS article is about the same issue: http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/c48f8bbe-960b-4fbe-a56a-683038d...

0 Karma
Reply

hadirs
New Member
‎01-12-2012 12:35 AM

Possible case are:
* check folder permission, maybe some program change change the permission.
* try open the file with some text editor (ext; notepad++) if can not open, some programs may be using that file.
* if open, try change some character, (change 1 or 2 word than save)if can not save, check elsewhere.

the splunk did not change or touch the file, just read or copy the file to the splunk server

0 Karma
Reply

Drainy
Champion
‎01-11-2012 12:58 PM

Splunk doesn't lock any files it is monitoring. I'm not saying its impossible that Splunk is causing this but it is very unlikely.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...