Getting Data In

Can you help me with some Windows DNS log parsing issues?

mnamestnik
Explorer

I am trying to ingest Windows DNS trace logs to Splunk. The Windows servers running the DNS service are running local universal forwarder installs, with the following defined in inputs.conf for their deployment app:

[monitor://C:\servicelog\dnslog.log]
disabled = 0
index = dns_data
sourcetype = MSAD:NT6:DNS
crcSalt = 

While the data is showing up in the correct index with the right sourcetype, it is coming in as each individual line in the trace log file = one event in Splunk, so since each true 'DNS request' in the trace log is about 100+ lines, and Splunk is assigning a new event to each line instead of line breaking on the date, it's making it almost impossible to parse the info I need and tie it back to anything useful. The log itself on the Windows DNS server has a new line for everything, and doesn't break on the time either, so I am trying to force it to break on time, and put everything up to the next time event into a single Splunk event.

The time format in the DNS log is, for example: 4/2/2019 12:26:20 PM

I have created a props.conf and transforms.conf within the indexers' deployment app and pushed it out. The contents of the props.conf are:

[MSAD:NT6:DNS]
TRANSFORMS-dns-time = msad_dns_time

and the contents of the transforms.conf file are:

[msad_dns_time]
TIME_PREFIX = ^
TIME_FORMAT = %-m/%e/%Y %l:%M:%S %p

What am I missing? Any help would be appreciated. Thanks!

0 Karma
1 Solution

mnamestnik
Explorer

Ended up using AoD hours, had to strip the entire contents of the [MSAD:NT6:DNS] stanza from the TA's default/props.conf file, change SHOULD_LINEMERGE to true, then paste that into the indexers' /etc/system/local/props.conf files and restart the indexer cluster and now it's line breaking properly... hopefully that helps someone else out down the road if they find this thread.

View solution in original post

mnamestnik
Explorer

Ended up using AoD hours, had to strip the entire contents of the [MSAD:NT6:DNS] stanza from the TA's default/props.conf file, change SHOULD_LINEMERGE to true, then paste that into the indexers' /etc/system/local/props.conf files and restart the indexer cluster and now it's line breaking properly... hopefully that helps someone else out down the road if they find this thread.

mnamestnik
Explorer

As a follow on, I have tried it with the following all in props.conf on the indexers as well, without using a transforms file too, with no difference:

[MSAD:NT6:DNS]
SHOULD_LINEMERGE = true
TIME_PREFIX = ^
TIME_FORMAT = %-m/%e/%Y %l:%M:%S %p
BREAK_ONLY_BEFORE_DATE = true

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...