Getting Data In

Windows DNS event logs

dstambaugh
Explorer

I've configured my univ fwdr on my Windows DNS server (Server 2003) to send data from the DNS Server event viewer, and it's working. However, it's missing the main part of each event. This is what I see in splunk:

    04/19/2011 06:43:28 PM
    LogName=DNS Server
    SourceName=DNS
    EventCode=2
    EventType=4
    Type=Information
    ComputerName=DNSSVR047
    Category=0
    CategoryString=none
    RecordNumber=90818
    Message=Splunk could not get the description for this event. Either the
    component that raises this event is not installed on your local computer
    or the installation is corrupt.

The 'Message' string should say something like "The DNS service has started."

The main indexer (ver 4.2) is running Server 2008 R2 and is receiving this data directly from the univ fwdr. I have installed the Remote Server Administrative Tools on the indexer, which includes the DNS mgmt tools, and theoretically, also includes the required files used by Splunk for the DNS API. I can successfully use the DNS mgmt tools from the indexer and connect to the DNS server and view the DNS Events in all of their intended glory.

1 Solution

piebob
Motivator

this is an unfortunate but known problem. the Microsoft Event Log API for XP/2003 doesn't provide the channel log name, so processing the files into evtx fails. it's apparently difficult to resolve within Splunk.

View solution in original post

landen99
Motivator

This should probably be titled "DNS event forwarding". "Windows DNS Event Logs" gives the implication that there will be discussion of the meanings and interpretations of the logs themselves.

0 Karma

piebob
Motivator

this is an unfortunate but known problem. the Microsoft Event Log API for XP/2003 doesn't provide the channel log name, so processing the files into evtx fails. it's apparently difficult to resolve within Splunk.

View solution in original post

dstambaugh
Explorer

That does appear to be the case. I installed a univ fwdr on my other DNS server running Server 2008 R2, and the events are complete, coming from the DNS event viewer on that server. Also tried installing the Server 2003 SP1 and SP2 Administration Tools on the indexer, but it didn't help. Splunk just can't decipher DNS logs from a server running 2003. thanks

0 Karma