Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

DNS/DSC logs into Splunk

Mridu27
Engager
‎04-24-2025 04:47 AM

I'm trying to configure Windows DNS/DSC server logs into Splunk.

I'm done with Audit logs but the Operational logs are creating Error in splunk which i think is may be because of %4 in its name. (please refer image).

Is there any other way to get these logs into splunk as i tried it with * (wildcard) as well.

message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::configure: Failed to find Event Log with channel name='Microsoft-Windows-DSC_Operational'

message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::configure: Failed to find Event Log with channel name='Microsoft-Windows-DSC-Operational'

message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::configure: Failed to find Event Log with channel name='Microsoft-Windows-DSC*'

message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::configure: Failed to find Event Log with channel name='Microsoft-Windows-DSC%4Operational'

message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::configure: Failed to find Event Log with channel name='Microsoft-Windows-DSC Operational'

 

Tried almost all combinations.

Labels (2)
Labels
Preview file
275 KB
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-24-2025 05:47 AM

Hi @Mridu27 

Use the exact channel name as listed by PowerShell on the server. The names shown in the Event Viewer GUI might not be the programmatic names required by the Splunk forwarder.

To find the correct channel name for DSC Operational logs, run this PowerShell command on the Windows server:

Get-WinEvent -ListLog *DSC* | Select-Object LogName

 

Similarly, for DNS Operational logs:

Get-WinEvent -ListLog *DNS* | Select-Object LogName

 

Use the LogName value returned by PowerShell in your inputs.conf.

 

# Example inputs.conf on the Universal Forwarder

# For DSC Operational logs (use the exact name found via PowerShell)
[WinEventLog://Microsoft-Windows-DSC/Operational]
disabled = 0
index = winevents 
sourcetype = WinEventLog:Microsoft-Windows-DSC/Operational 

# For DNS Server Operational logs (use the exact name found via PowerShell)
[WinEventLog://Microsoft-Windows-DNS-Server/Operational]
disabled = 0
index = winevents 
sourcetype = WinEventLog:Microsoft-Windows-DNS-Server/Operational

The Splunk Universal Forwarder requires the precise channel name registered with the Windows Event Log service. Characters like %4 seen in some GUI tools are often display artifacts and not part of the actual channel name. Separators are typically forward slashes (/), not underscores (_), hyphens (-), or spaces. Wildcards (*) are not supported directly within the channel name specification in the stanza header.

  • Ensure the Splunk Universal Forwarder service account has permissions to read the specified event log channels.
  • Restart the Splunk Universal Forwarder service after modifying inputs.conf.
  • Monitor Windows event log data

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

kiran_panchavat
Champion
‎04-24-2025 05:21 AM

@Mridu27 

Ensure that the channel name you're using matches exactly what is listed in the Event Viewer. Sometimes, even small discrepancies can cause errors.

https://community.splunk.com/t5/Getting-Data-In/Failed-to-find-Event-Log/m-p/363954 

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...