Yes, we have got it working - in the lab.
In Windows Server 2012, the analytical log was changed from a text-based .evtx file to a binary .etl file. This binary file cannot be read by the Splunk Universal Forwarder. Unfortunately, the documentation on the Splunk website does NOT let you know that their official instructions only work for Windows Server 2008 and before.
We got it working (at least in the lab) by using the community add-on at this link --> https://splunkbase.splunk.com/app/2937/
It uses a powershell script to read the .etl file every minute. Unfortunately, it does not work out-of-the-box. You have to fix the paths! I don't remember what exactly the paths were, but I found the second reply to this post -->https://answers.splunk.com/answers/339934/can-the-windows-dns-analytical-and-diagnostic-logs.html
I have copy pasted the post below:
I had to make a couple of changes to the .\TS-windnsanalytical\bin\get_dns_analytics.path file to get everything to work:
$SPLUNK_HOME is not set on the deployment client, so need to explicitly add the full path to SplunkUniversalForwarder.
Also, the Download tarball expands to TA-windnsanalytical not TA-WindowsDNSAnalytical
Original get_dns_analytics.path file:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& '$SPLUNK_HOME\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"
Working get_dns_analytics.path file:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-windnsanalytical\bin\get_dns_analytics.ps1'" and it looks about right.
Hope this helps!
... View more