UF on DC+DNS Server not forwarding Dynamic DNS Upd...

billy · ‎03-19-2024

I have the following stanza in etc\system\local\inputs.conf. However I don't see dynamic DNS update events being forwarded to the Splunk server.

Local event viewer shows events after "ipconfig /release" followed by "ipconfig /renew"

I also tried [WinEventLog://DNS Server] as stanza name, to no avail.

Appreciate any insight.

Thanks, Billy

[WinEventLog://Microsoft-Windows-DNS-Server/Audit]
disabled = 0
renderXml = 1
whitelist = 519, 520

PickleRick · ‎03-19-2024

Ok. The question (because there might not be many Windows DNS experts here) is whether you have those events you want in those eventlogs (and they are properly identified by those whitelisted EventIDs) or are you happily randomly setting your inputs in hope of finding something. Can you find relevant events in EventViewer?

billy · ‎03-19-2024

Yes the events were showed in event viewer in near real-time.

PickleRick · ‎03-19-2024

Ok. I assume you checked the name for this particular Event Log (the name of the stanza must match the "Full Name" property from the EventLog properties page). The "DNS-Server" alone won't do.

Do you have any errors related to this input in your splunkd.log?

What does your

splunk list inputstatus

say?

billy · ‎03-19-2024

I thought "[WinEventLog://DNS Server]" is the same as "[WinEventLog://Microsoft-Windows-DNS-Server/Audit]". But yes I am using explicit log name (path).

I also stayed away from [WinEventLog://DNS Server] because of this doc . It says importing log is needed, which is confusing.

Below is the trimmed inputsstatus list output

PS C:\Program Files\SplunkUniversalForwarder> bin\splunk.exe btool inputs list --debug | Select-String "dns"

C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf [WinEventLog://Microsoft-Windows-DNS-Server/Audit]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
<snip>
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf connection_host = dns
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
<snip>

PickleRick · ‎03-19-2024

Honestly, I have no idea what they mean by importing the logs here.

Anyway, you checked the btool output which shows the config. Check the inputstatus as well (this shows - as the name says - status of the inputs).

billy · ‎03-19-2024

Courtesy of this post, I renamed "Microsoft-Windows-DNS-Server" to "Microsoft-Windows-DNSServer" and now I am seeing DNS events in my Splunk server.

"Microsoft-Windows-DNS-Server" is part of log name, while "Microsoft-Windows-DNSServer" (no space) is the provider name in XML event.

Go figure.

PickleRick · ‎03-20-2024

As I wrote before - "I assume you checked the name for this particular Event Log (the name of the stanza must match the "Full Name" property from the EventLog properties page)" 🙂

Especially the part in the parentheses is important. And yes, naming of the Event Logs can be a bit confusing sometimes. (You can of course get the Event Log name with a quick PowerShell as well without the need to click through the Event Viewer).

UF on DC+DNS Server not forwarding Dynamic DNS Update events

inputs.conf

universal forwarder

Windows

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio