Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

DNS Server NOT Forwarding Windows Security Events

dillardo_2
Path Finder
‎10-04-2019 09:23 AM

One of our DNS servers running a universal forwarder, suddenly stopped sending Windows Event logs to our indexers.
DNS events are still being forwarded.

0 Karma
Reply

ololdach
Builder
‎10-04-2019 11:34 AM

Hi dillardo_2,

when the UF sends some data and drops some other, the most likely cause is that the missing input is either misconfigured or that the splunk user has no access to the resources being monitored. From your post I take it was running and I assume that nobody set disabled=1 in the inputs.conf just to play you a joke. My first guess would be that some group policies changed the access to the local logs for the splunk user (or the local admin group). Have the GPOs been changed lately or have you changed splunk to run as user with limited access rigths?

The second guess after that would be an update to Windows by Microsoft that enforces different policies on some resources. In that case I'd re-test with the latest version of the UF for Windows. In order to validate the case, check the software installation logs on windows and check the local audit logs on Windows for any access violations or errors. You may have to step up the audit level in order to see it.

Hope it helps.
Oliver

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-04-2019 10:11 AM

Hi dillardo_2,
when did Windows Events Log stop to arrive? before or after 30th of september?
if you received events until 30th of september and not october events, see in events of 10th of april if there are your october events, if yes this means that there's an error in timestamp parsing (Splunk confuses month and day).

When stopped, you don't see events, but if you search yesterday events, do you have results?
if yes, probably there's a network congestion so UF sends part of logs with delay, you can check delay with this search:

index=wineventlog
| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S%3N"), diff=_indextime-_time
| table _time indextime diff

If none of these conditions, please share more information.

Bye.
Giuseppe

0 Karma
Reply

dillardo_2
Path Finder
‎10-05-2019 08:25 AM

Hi @gcusello, thanks for your response. Events stopped on 10/4 on only this DNS server. We have a second DNS server that is forwarding events just fine. It appears to be isolated to this one DNS server.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...