I've configured my univ fwdr on my Windows DNS server (Server 2003) to send data from the DNS Server event viewer, and it's working. However, it's missing the main part of each event. This is what I see in splunk:
04/19/2011 06:43:28 PM LogName=DNS Server SourceName=DNS EventCode=2 EventType=4 Type=Information ComputerName=DNSSVR047 Category=0 CategoryString=none RecordNumber=90818 Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt.
The 'Message' string should say something like "The DNS service has started."
The main indexer (ver 4.2) is running Server 2008 R2 and is receiving this data directly from the univ fwdr. I have installed the Remote Server Administrative Tools on the indexer, which includes the DNS mgmt tools, and theoretically, also includes the required files used by Splunk for the DNS API. I can successfully use the DNS mgmt tools from the indexer and connect to the DNS server and view the DNS Events in all of their intended glory.
this is an unfortunate but known problem. the Microsoft Event Log API for XP/2003 doesn't provide the channel log name, so processing the files into evtx fails. it's apparently difficult to resolve within Splunk.
That does appear to be the case. I installed a univ fwdr on my other DNS server running Server 2008 R2, and the events are complete, coming from the DNS event viewer on that server. Also tried installing the Server 2003 SP1 and SP2 Administration Tools on the indexer, but it didn't help. Splunk just can't decipher DNS logs from a server running 2003. thanks
This should probably be titled "DNS event forwarding". "Windows DNS Event Logs" gives the implication that there will be discussion of the meanings and interpretations of the logs themselves.