Getting Data In

Windows DNS event logs

dstambaugh
Explorer

I've configured my univ fwdr on my Windows DNS server (Server 2003) to send data from the DNS Server event viewer, and it's working. However, it's missing the main part of each event. This is what I see in splunk:

    04/19/2011 06:43:28 PM
    LogName=DNS Server
    SourceName=DNS
    EventCode=2
    EventType=4
    Type=Information
    ComputerName=DNSSVR047
    Category=0
    CategoryString=none
    RecordNumber=90818
    Message=Splunk could not get the description for this event. Either the
    component that raises this event is not installed on your local computer
    or the installation is corrupt.

The 'Message' string should say something like "The DNS service has started."

The main indexer (ver 4.2) is running Server 2008 R2 and is receiving this data directly from the univ fwdr. I have installed the Remote Server Administrative Tools on the indexer, which includes the DNS mgmt tools, and theoretically, also includes the required files used by Splunk for the DNS API. I can successfully use the DNS mgmt tools from the indexer and connect to the DNS server and view the DNS Events in all of their intended glory.

1 Solution

piebob
Splunk Employee
Splunk Employee

this is an unfortunate but known problem. the Microsoft Event Log API for XP/2003 doesn't provide the channel log name, so processing the files into evtx fails. it's apparently difficult to resolve within Splunk.

View solution in original post

landen99
Motivator

This should probably be titled "DNS event forwarding". "Windows DNS Event Logs" gives the implication that there will be discussion of the meanings and interpretations of the logs themselves.

0 Karma

piebob
Splunk Employee
Splunk Employee

this is an unfortunate but known problem. the Microsoft Event Log API for XP/2003 doesn't provide the channel log name, so processing the files into evtx fails. it's apparently difficult to resolve within Splunk.

dstambaugh
Explorer

That does appear to be the case. I installed a univ fwdr on my other DNS server running Server 2008 R2, and the events are complete, coming from the DNS event viewer on that server. Also tried installing the Server 2003 SP1 and SP2 Administration Tools on the indexer, but it didn't help. Splunk just can't decipher DNS logs from a server running 2003. thanks

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...