All Apps and Add-ons

How to correctly deploy DNS analytical and diagnostic logs to capture all FQDN queries on Windows Server 2012

gawilliams
Explorer

Long story short, I'm trying to log DNS queries (query name/FQDN and requesting host's IP) into Splunk so I can see which hosts try to resolve which FQDN's, and am trying to accomplish this via native DNS logging on Windows Server 2012 (not debug logging because it could break the DNS servers due to high traffic volume). Below is more detail/context:

I've deployed the full App for Windows Infrastructure across Splunk Enterprise as directed. There is a Domain Controller (serving DNS) running on Windows Server 2012 with the Audit and analytic event logging enabled, and I've deployed the TA_windows and TA_microsoft_dns add-ons to that server. I'm seeing DNS events coming through on the search heads, but can't find any events with actual DNS lookups (e.g., FQDN query and requesting IP) which is all I really care about for now. So, is the TA_microsoft_dns even able to grab this level of detail? Is the native Windows Server 2012 DNS logging able to do this? Per TechNet (link below) on 2012 DNS logging, I think event ID's 257-259 would contain this detail, so maybe the Server's DNS logging hasn't been setup appropriately?

Has anyone done this successfully that could help guide me through this? For more context, I've tried using Splunk Stream, but apparently the DNS server volume is too high and the Universal Forwarder can't keep up with Stream's packet capture (~10k DNS queries per second), even with maxKBs set to '0' in the limits.conf file. Thanks in advance for help anyone can offer.

TechNet Article on 2012 logging: technet.microsoft.com/en-us/library/dn800669.aspx

woodcock
Esteemed Legend

Almost nobody gets DNS events from a Windows server from the logs, the smart way is to pull them off the wire with stream. Trust me: you will regret trying to do any correlations with the app logs but it will all be a BREEZE with stream:

http://www.rfaircloth.com/2015/11/06/get-started-with-splunk-app-stream-6-4-dns/

0 Karma

gawilliams
Explorer

Thanks for the input, we've actually tried Stream but our DNS servers (sitting on Windows machines) get too much traffic, the universal forwarder creates a bottleneck for the stream forward agent and it drops packets (even with maxKBps=0). The stand alone stream agent would likely work, but they currently only support this on Linux.

0 Karma

nmohammed
Contributor

@gawilliams

Were you able to send these ETL logs using universal Forwarder and Add-on ?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...