To troubleshoot that app, try manually running the powershell script to make sure it is pointing to the log and reading it correctly. That's how we found some of the pathing problems. After making sure the powershell script is working properly, check your configs to make sure their paths are correct.
We haven't moved it out of the lab yet - although it's sending logs to our Splunk test environment. We are working on some filtering rules for the indexer. It's running Windows Server 2012 R2, and we have installed both the app that I linked as well as the official app and add-on.
I hope it works for you! We are exploring similar use cases, would love to hear how it works for you & your security team.
... View more
Yes, we have got it working - in the lab.
In Windows Server 2012, the analytical log was changed from a text-based .evtx file to a binary .etl file. This binary file cannot be read by the Splunk Universal Forwarder. Unfortunately, the documentation on the Splunk website does NOT let you know that their official instructions only work for Windows Server 2008 and before.
We got it working (at least in the lab) by using the community add-on at this link --> https://splunkbase.splunk.com/app/2937/
It uses a powershell script to read the .etl file every minute. Unfortunately, it does not work out-of-the-box. You have to fix the paths! I don't remember what exactly the paths were, but I found the second reply to this post -->https://answers.splunk.com/answers/339934/can-the-windows-dns-analytical-and-diagnostic-logs.html
I have copy pasted the post below:
I had to make a couple of changes to the .\TS-windnsanalytical\bin\get_dns_analytics.path file to get everything to work:
$SPLUNK_HOME is not set on the deployment client, so need to explicitly add the full path to SplunkUniversalForwarder.
Also, the Download tarball expands to TA-windnsanalytical not TA-WindowsDNSAnalytical
Original get_dns_analytics.path file:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& '$SPLUNK_HOME\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"
Working get_dns_analytics.path file:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-windnsanalytical\bin\get_dns_analytics.ps1'" and it looks about right.
Hope this helps!
... View more
We are trying to Splunk our DNS logging for Windows Server 2012 R2, but cannot get the analytical log forwarded. We followed the directions on the Microsoft technet website to download the hotfix and enable analytical logging. We can the events in our event log. We downloaded the Splunk App for Windows Infrastructure and the Splunk Add-on for Microsoft Windows DNS. We are able to see Perfmon:DNS events, just not the analytical logs. Our inputs stanza for debug logging is as below:
# DNS Debug Logging
Any help would be appreciated! Thank you!
... View more