Splunk Enterprise Security

Splunk App for Enterprise Security: How to troubleshoot why Network Resolution (DNS) Data Model won't build?

jsmith_splunk
Splunk Employee
Splunk Employee

I'm installing an Enterprise Security build and have run into an issue with getting DNS into the ES environment.

From search & reporting, I see 5 different dns sourcetypes, in ES the DNS Activity page is blank. When looking through the data model, I noticed that status is 'building' and the size on disk is 0.00.
Around 20 hours ago, I disabled acceleration on this data model, then re-enabled it, mostly just hoping it would shake something loose, but it has had no effect.

What are the things I could/should do to troubleshoot this issue?
Thanks!

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

Based on the CIM standard (or the constraints on the Network Resolution datamodel), your data must be tagged as below to enter the datamodel (which is used by the ES dashbaords):

 tag=network tag=resolution tag=dns 

Do you have data matching this criteria ?
What is you log source for this: DNS logs ? Stream ?

jsmith_splunk
Splunk Employee
Splunk Employee

The only events I have with the network tag are from a cisco:asa sourcetype.
I don't have any resolution tags
For the DNS tag I have the following sourcetype
Perfmon:DNS
MSAD:NT6:DNS-Zone-Information
WinEventLog:DNS
MSAD:NT6:DNS-Health

Until yesterday I also had MSAD:NT6:DNS but needed to disable dns.logs due to licensing restraints.

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

But what is your DNS log source ?
ASA will give you generic network logs, nothing specific to the DNS.
So you must add logs coming from your DNS server or generated by Stream.

0 Karma

jsmith_splunk
Splunk Employee
Splunk Employee

The data I have tagged as DNS:
My source(s) are
Perfmon:DNS
Powershell
WinEventLog:DNS Server

The hosts are my Active Directory servers which have the TA-DNSServer-NT6 app pushed to them.

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

The perfmon will not help here.
May be the WinEventLog:DNS Server if there are logs saying which requests your resolver is doing.
If you do not have such logs, look here for configure them.
If you have DNS resolution logs, you must normalise them to make sure they are CIM compatible (look her for details).

0 Karma

jsmith_splunk
Splunk Employee
Splunk Employee

I think I'm in a spot then, without dns.log files it doesn't appear I'm going to get the data I need and with it I blow through my Splunk license in hours

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

Of course, DNS might generate a lot of data.
You might use only the DNS request that failed to resolve, or use stream for logging only specific case of DNS request (like the one from suspicious users...). This depends on your use case: security, troubleshooting, DNS monitoring...

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...