Solved: Retrieve Windows DNS Logs - best practices ?

GaetanVP · ‎07-25-2023

Hello Splunkers,

Whats is "the best practice" to ingest DNS logs inside a distributed Splunk environment. I hesitate between two possibilities (maybe there are others) :

- Install a UF on my DNS servers and simply monitor the path where my DNS logs are located and then forward the logs to my Splunk env.

- Or use the Stream App, which seems a little bit more complicated : https://docs.splunk.com/Documentation/StreamApp/8.1.1/DeployStreamApp/AboutSplunkStream

Let me know what you used / think about that,

Thanks a lot !

GaetanVP

isoutamo · ‎07-25-2023

This also depends on your DNS system and query volumes. If you have some real dns server/appliances or just Windows DC node wit DNS enable.

View solution in original post

jotne · ‎07-25-2023

We do UF on all our servers. To not make to more complicated we use the UF to monitor the DNS log files.

isoutamo · ‎07-25-2023

This also depends on your DNS system and query volumes. If you have some real dns server/appliances or just Windows DC node wit DNS enable.

GaetanVP · ‎07-25-2023

In case of Windows DC node with DNS enable you would go for classic UF installation and monitoring ?

Thanks

isoutamo · ‎07-25-2023

Yes it should work like this.

Personally I try to avoid windows dc dns, but that’s another story.

Retrieve Windows DNS Logs - best practices ?

heavy forwarder

universal forwarder

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services