Splunk Enterprise Security

How to onboard System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx

Rishabh_McKc
Explorer

In my server I want to onboard DNS Audit logs in addition to DNS Events. DNS Audit logs are getting created in
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx

Could you please help me how can i onbard it

0 Karma

Rishabh_McKc
Explorer

I found the solution.

for getting logs on-boarded from the path: C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx. We need below stanza in inputs.conf on universal forwarder:

[WinEventLog://Microsoft-Windows-DNSServer/Audit]
checkpointInterval = 5
current_only = 0
disabled = 0
index =
start_from = oldest

Add your comment...

vishaltaneja070
Motivator

I think you can monitor the above path, to onboard the logs to splunk

0 Karma

Rishabh_McKc
Explorer

I found the solution.

for getting logs on-boarded from the path: C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx. We need below stanza in inputs.conf on universal forwarder:

[WinEventLog://Microsoft-Windows-DNSServer/Audit]
checkpointInterval = 5
current_only = 0
disabled = 0
index =
start_from = oldest

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!