Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is winEvent: DNS Server not getting across to Splunk Indexer for TA_Windows?

monug8
Loves-to-Learn Lots
‎02-15-2023 06:46 PM

Currently, I am trying to extract the DNS logs from TA_Windows where inputs.conf file has [WinEventLog: //DNS Server) disabled=0 but still not working. I am trying to get DNS logs to index (microsoft_windows) ion indexer.

I have DNS server role installed on the machine. UF is also installed but still not working. I have seen many other blogs but not exactly pointing out the solution.

Any help will be appreciated.

Thanks

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

monug8
Loves-to-Learn Lots
‎03-06-2023 03:28 PM

We have resolved DNS logs without using TA_Windows, but still I found it there are some issues with WinEventViewer for ADFS Trace logs. after enabling advanced logging on ADFS but still not getting ADFS Trace logs.

 

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-17-2023 12:34 AM

Hi @monug8,

You don't need PowerShell or another issue if you can see DNS Server events inside Event Viewer. Maybe there is a mismatch between your Event channel name and input stanza. Could please share screenshot of your EventViewer showing your DNS Server events tree and your inputs.conf stanza?

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

monug8
Loves-to-Learn Lots
‎02-19-2023 02:28 PM

@scelikok I did not get it when you said mismatch. Input.Confs is pretty standard provided by Splunk Addons for Windows:

Sorry Cannot provide DNS Events, it is also pretty standard DNs events.

 

Thanks

 

 

0 Karma
Reply

monug8
Loves-to-Learn Lots
‎02-16-2023 07:59 PM

I am wondering if any powershell script run as part of [WinEventLog:// DNS Server] ?

if yes, then we have policy to stop Powershell Script remotely, only signed powershell script is allowed.

Not sure about this @gcusello 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-16-2023 11:36 PM

Hi @monug8,

at first check if DNS monitoring is enabled at Windows level (not in Splunk).

Then check if the user used to run Splunk has the righrs to execute Powershell scripts.

Ciao.

Giuseppe

0 Karma
Reply

monug8
Loves-to-Learn Lots
‎02-19-2023 02:25 PM

@gcusello , I said in last post, we are not allowing any powershell script can be executed on DNS server so that is the issue here, you believe.

Is the DNS server log kicks off PS script as part of collecting logs from Event Viewer.

what do you mean by  DNS monitoring is enabled at Windows level . is this related to DNS logging and diagnostics?

I can see DNS events in Event Viewer so it means DNS monitoring is enabled on windows level.

 

Thanks

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-19-2023 10:45 PM

Hi @monug8 ,

are there in the Windows Event Viewer (not in Splunk) the events from DNS?

if yes, they already arrive in Splunk you should find them in wineventlog, if thery aren't in Windows Event Viewer, you have to enable DNS logging on Windows.

If they are in Windows Event Viewer but not in Splunk and you have other EventLogs, check if there's ome whitelist or blacklist in inputs.conf.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-15-2023 11:32 PM

Hi @monug8,

let me understand:

did you installed the Universal Forwarder on the DNS Server?

are you receiving other logs from that host?

did you enabled logging on DNS Server?

Ciao.

Giuseppe

0 Karma
Reply

monug8
Loves-to-Learn Lots
‎02-16-2023 02:18 PM

Hi @gcusello yes, I have Installed UF on windows  machine where DNS Server role is installed

yes, I am receiving other OS logs (WinEventLog:Application, Security) to splunk indexer

yes, I enabled DNS logs as per below:

#### WinEventLog Inputs for DNS ########

[WinEventLog:// DNS Server]

disabled=0

renderXml=false

index = microsoft_windwos

Still not getting DNS logs, I can see those logs in Event Viewer on windows but not appearing in Splunk indexer

Note: I am using Technical Addons called (Splunk_TA_windows)

Thanks

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-20-2023 01:45 AM

Did you copy-paste that config excerpt? Because there is most probably a typo here.

index = microsoft_windwos

If you have a last-chance index set your events would land there. If you don't, they would get discarded.

Unless of course your index is indeed called "microsoft_windwos"

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...