Getting Data In

UF on DC+DNS Server not forwarding Dynamic DNS Update events

billy
Loves-to-Learn Everything

I have the following stanza in etc\system\local\inputs.conf. However I don't see dynamic DNS update events being forwarded to the Splunk server.

Local event viewer shows events after "ipconfig /release" followed by "ipconfig /renew"

I also tried [WinEventLog://DNS Server] as stanza name, to no avail.

Appreciate any insight.

Thanks, Billy

[WinEventLog://Microsoft-Windows-DNS-Server/Audit]
disabled = 0
renderXml = 1
whitelist = 519, 520
Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ok. The question (because there might not be many Windows DNS experts here) is whether you have those events you want in those eventlogs (and they are properly identified by those whitelisted EventIDs) or are you happily randomly setting your inputs in hope of finding something. Can you find relevant events in EventViewer?

0 Karma

billy
Loves-to-Learn Everything

Yes the events were showed in event viewer in near real-time.

billy_0-1710887432361.png

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ok. I assume you checked the name for this particular Event Log (the name of the stanza must match the "Full Name" property from the EventLog properties page). The "DNS-Server" alone won't do.

Do you have any errors related to this input in your splunkd.log?

What does your

splunk list inputstatus

say?

 

0 Karma

billy
Loves-to-Learn Everything

I thought "[WinEventLog://DNS Server]" is the same as "[WinEventLog://Microsoft-Windows-DNS-Server/Audit]". But yes I am using explicit log name (path).

I also stayed away from [WinEventLog://DNS Server] because of this doc . It says importing log is needed, which is confusing. 

billy_0-1710890612543.png

Below is the trimmed inputsstatus list output

PS C:\Program Files\SplunkUniversalForwarder> bin\splunk.exe btool inputs list --debug | Select-String "dns"

C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf [WinEventLog://Microsoft-Windows-DNS-Server/Audit]
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
<snip>
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf connection_host = dns
C:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
<snip>

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Honestly, I have no idea what they mean by importing the logs here.

Anyway, you checked the btool output which shows the config. Check the inputstatus as well (this shows - as the name says - status of the inputs).

0 Karma

billy
Loves-to-Learn Everything

Courtesy of this post, I renamed "Microsoft-Windows-DNS-Server" to "Microsoft-Windows-DNSServer" and now I am seeing DNS events in my Splunk server.

"Microsoft-Windows-DNS-Server" is part of log name, while "Microsoft-Windows-DNSServer" (no space) is the provider name in XML event.

Go figure.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

As I wrote before - "I assume you checked the name for this particular Event Log (the name of the stanza must match the "Full Name" property from the EventLog properties page)" 🙂

Especially the part in the parentheses is important. And yes, naming of the Event Logs can be a bit confusing sometimes. (You can of course get the Event Log name with a quick PowerShell as well without the need to click through the Event Viewer).

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...