How to onboard System32\winevt\Logs\Microsoft-Wind...

Rishabh_McKc · ‎08-21-2018

In my server I want to onboard DNS Audit logs in addition to DNS Events. DNS Audit logs are getting created in
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx

Could you please help me how can i onbard it

Rishabh_McKc · ‎08-23-2018

I found the solution.

for getting logs on-boarded from the path: C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx. We need below stanza in inputs.conf on universal forwarder:

[WinEventLog://Microsoft-Windows-DNSServer/Audit]
checkpointInterval = 5
current_only = 0
disabled = 0
index =
start_from = oldest

Add your comment...

vishaltaneja070 · ‎08-23-2018

I think you can monitor the above path, to onboard the logs to splunk

Rishabh_McKc · ‎08-23-2018

I found the solution.

for getting logs on-boarded from the path: C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx. We need below stanza in inputs.conf on universal forwarder:

[WinEventLog://Microsoft-Windows-DNSServer/Audit]
checkpointInterval = 5
current_only = 0
disabled = 0
index =
start_from = oldest

How to onboard System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability