Getting Data In
Highlighted

Windows DNS event logs

Explorer

I've configured my univ fwdr on my Windows DNS server (Server 2003) to send data from the DNS Server event viewer, and it's working. However, it's missing the main part of each event. This is what I see in splunk:

    04/19/2011 06:43:28 PM
    LogName=DNS Server
    SourceName=DNS
    EventCode=2
    EventType=4
    Type=Information
    ComputerName=DNSSVR047
    Category=0
    CategoryString=none
    RecordNumber=90818
    Message=Splunk could not get the description for this event. Either the
    component that raises this event is not installed on your local computer
    or the installation is corrupt.

The 'Message' string should say something like "The DNS service has started."

The main indexer (ver 4.2) is running Server 2008 R2 and is receiving this data directly from the univ fwdr. I have installed the Remote Server Administrative Tools on the indexer, which includes the DNS mgmt tools, and theoretically, also includes the required files used by Splunk for the DNS API. I can successfully use the DNS mgmt tools from the indexer and connect to the DNS server and view the DNS Events in all of their intended glory.

Highlighted

Re: Windows DNS event logs

Splunk Employee
Splunk Employee

this is an unfortunate but known problem. the Microsoft Event Log API for XP/2003 doesn't provide the channel log name, so processing the files into evtx fails. it's apparently difficult to resolve within Splunk.

View solution in original post

Highlighted

Re: Windows DNS event logs

Explorer

That does appear to be the case. I installed a univ fwdr on my other DNS server running Server 2008 R2, and the events are complete, coming from the DNS event viewer on that server. Also tried installing the Server 2003 SP1 and SP2 Administration Tools on the indexer, but it didn't help. Splunk just can't decipher DNS logs from a server running 2003. thanks

0 Karma
Highlighted

Re: Windows DNS event logs

Motivator

This should probably be titled "DNS event forwarding". "Windows DNS Event Logs" gives the implication that there will be discussion of the meanings and interpretations of the logs themselves.

0 Karma