I'm installing an Enterprise Security build and have run into an issue with getting DNS into the ES environment.
From search & reporting, I see 5 different dns sourcetypes, in ES the DNS Activity page is blank. When looking through the data model, I noticed that status is 'building' and the size on disk is 0.00.
Around 20 hours ago, I disabled acceleration on this data model, then re-enabled it, mostly just hoping it would shake something loose, but it has had no effect.
What are the things I could/should do to troubleshoot this issue?
Thanks!
Based on the CIM standard (or the constraints on the Network Resolution datamodel), your data must be tagged as below to enter the datamodel (which is used by the ES dashbaords):
tag=network tag=resolution tag=dns
Do you have data matching this criteria ?
What is you log source for this: DNS logs ? Stream ?
The only events I have with the network tag are from a cisco:asa sourcetype.
I don't have any resolution tags
For the DNS tag I have the following sourcetype
Perfmon:DNS
MSAD:NT6:DNS-Zone-Information
WinEventLog:DNS
MSAD:NT6:DNS-Health
Until yesterday I also had MSAD:NT6:DNS but needed to disable dns.logs due to licensing restraints.
But what is your DNS log source ?
ASA will give you generic network logs, nothing specific to the DNS.
So you must add logs coming from your DNS server or generated by Stream.
The data I have tagged as DNS:
My source(s) are
Perfmon:DNS
Powershell
WinEventLog:DNS Server
The hosts are my Active Directory servers which have the TA-DNSServer-NT6 app pushed to them.
The perfmon will not help here.
May be the WinEventLog:DNS Server if there are logs saying which requests your resolver is doing.
If you do not have such logs, look here for configure them.
If you have DNS resolution logs, you must normalise them to make sure they are CIM compatible (look her for details).
I think I'm in a spot then, without dns.log files it doesn't appear I'm going to get the data I need and with it I blow through my Splunk license in hours
Of course, DNS might generate a lot of data.
You might use only the DNS request that failed to resolve, or use stream for logging only specific case of DNS request (like the one from suspicious users...). This depends on your use case: security, troubleshooting, DNS monitoring...