Splunk Enterprise Security

How to onboard System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx

Rishabh_McKc
Explorer

In my server I want to onboard DNS Audit logs in addition to DNS Events. DNS Audit logs are getting created in
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx

Could you please help me how can i onbard it

0 Karma

Rishabh_McKc
Explorer

I found the solution.

for getting logs on-boarded from the path: C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx. We need below stanza in inputs.conf on universal forwarder:

[WinEventLog://Microsoft-Windows-DNSServer/Audit]
checkpointInterval = 5
current_only = 0
disabled = 0
index =
start_from = oldest

Add your comment...

vishaltaneja070
Motivator

I think you can monitor the above path, to onboard the logs to splunk

0 Karma

Rishabh_McKc
Explorer

I found the solution.

for getting logs on-boarded from the path: C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Audit.evtx. We need below stanza in inputs.conf on universal forwarder:

[WinEventLog://Microsoft-Windows-DNSServer/Audit]
checkpointInterval = 5
current_only = 0
disabled = 0
index =
start_from = oldest

Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...