I have the following stanza in etc\system\local\inputs.conf. However I don't see dynamic DNS update events being forwarded to the Splunk server.
Local event viewer shows events after "ipconfig /release" followed by "ipconfig /renew"
I also tried [WinEventLog://DNS Server] as stanza name, to no avail.
Appreciate any insight.
Thanks, Billy
[WinEventLog://Microsoft-Windows-DNS-Server/Audit]
disabled = 0
renderXml = 1
whitelist = 519, 520
Ok. The question (because there might not be many Windows DNS experts here) is whether you have those events you want in those eventlogs (and they are properly identified by those whitelisted EventIDs) or are you happily randomly setting your inputs in hope of finding something. Can you find relevant events in EventViewer?
Yes the events were showed in event viewer in near real-time.
Ok. I assume you checked the name for this particular Event Log (the name of the stanza must match the "Full Name" property from the EventLog properties page). The "DNS-Server" alone won't do.
Do you have any errors related to this input in your splunkd.log?
What does your
splunk list inputstatus
say?
I thought "[WinEventLog://DNS Server]" is the same as "[WinEventLog://Microsoft-Windows-DNS-Server/Audit]". But yes I am using explicit log name (path).
I also stayed away from [WinEventLog://DNS Server] because of this doc . It says importing log is needed, which is confusing.
Below is the trimmed inputsstatus list output
PS C:\Program Files\SplunkUniversalForwarder> bin\splunk.exe btool inputs list --debug | Select-String "dns"
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf [WinEventLog://Microsoft-Windows-DNS-Server/Audit]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
<snip>
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf connection_host = dns
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
<snip>
Honestly, I have no idea what they mean by importing the logs here.
Anyway, you checked the btool output which shows the config. Check the inputstatus as well (this shows - as the name says - status of the inputs).
Courtesy of this post, I renamed "Microsoft-Windows-DNS-Server" to "Microsoft-Windows-DNSServer" and now I am seeing DNS events in my Splunk server.
"Microsoft-Windows-DNS-Server" is part of log name, while "Microsoft-Windows-DNSServer" (no space) is the provider name in XML event.
Go figure.
As I wrote before - "I assume you checked the name for this particular Event Log (the name of the stanza must match the "Full Name" property from the EventLog properties page)" 🙂
Especially the part in the parentheses is important. And yes, naming of the Event Logs can be a bit confusing sometimes. (You can of course get the Event Log name with a quick PowerShell as well without the need to click through the Event Viewer).