Splunk Enterprise Security

How to onboard System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx

Explorer

In my server I want to onboard DNS Audit logs in addition to DNS Events. DNS Audit logs are getting created in
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx

Could you please help me how can i onbard it

0 Karma

Explorer

I found the solution.

for getting logs on-boarded from the path: C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx. We need below stanza in inputs.conf on universal forwarder:

[WinEventLog://Microsoft-Windows-DNSServer/Audit]
checkpointInterval = 5
currentonly = 0
disabled = 0
index =
start
from = oldest

Add your comment...

Motivator

I think you can monitor the above path, to onboard the logs to splunk

0 Karma

Explorer

I found the solution.

for getting logs on-boarded from the path: C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx. We need below stanza in inputs.conf on universal forwarder:

[WinEventLog://Microsoft-Windows-DNSServer/Audit]
checkpointInterval = 5
currentonly = 0
disabled = 0
index =
start
from = oldest