All Apps and Add-ons

Microsoft DNS Debug and monitorNoHandle

s0mar
Explorer

We are running Splunk Universal Forwarder 6.0.1 on Windows Server 2008 R2. We are currently only to capture the Microsoft DNS Debug logs.

We have already reviewed several posts and links, including these:

answers.splunk.com/answers/35259/best-method-for-pulling-microsoft-dns-logs-with-splunk?page=1&focusedAnswerId=37702#37702

stratumsecurity.com/2012/07/03/splunk-security/ godlessheathenmemoirs.blogspot.com/2011/08/gathering-detailed-dns-debug-logs-from.html

godlessheathenmemoirs.blogspot.com/2013/07/dns-log-timestamps-and-splunk-revisited_16.html

When we configure inputs.conf, with monitor we receive events BUT when the DNS Debug Log rolls, it does NOT get recreated unless we restart the DNS Server service.

[monitorNoHandle://D:\DNS\DnsDebugLog.txt] 
sourcetype = DnsDebugLog 
crcSalt= <SOURCE>
disabled = 0 
index = ourwindns

With the above inputs.conf, we have confirmed the DNS Debug Log is successfully recreated when the log rolls, but we do NOT see any events in Splunk.

When we were experimenting, we did see it briefly work, but source = MonitorNoHandle (with monitor, source = D:\DNS\DnsDebugLog.txt). This could be expected behavior but there is not much informatiion that I could find for monitorNoHandle.

As mentioned in this post: answers.splunk.com/answers/104407/windows-7-32-bit-install-of-splunk-6, we attempted the sc query command and it existed in a stopped state.

Any suggestions? Any and all help appreciated.

Thanks in advance!

Tags (1)

jg91
Path Finder

I have the same problem with MonitorNoHandle for dns.log.

Did you solved it?

0 Karma

DBuhler
Explorer

I'm having exactly the same issue.
I had before MonitorNoHandle working, with the dns log in the default path: C:\Windows\System32\dns\dns.log

However after updating the windows server (the dns server) I stopped receiving anything from this file on Splunk.
Is there any reason for this?

Anyone solved this situations?

0 Karma

wolfbu
New Member

option "monitor" works but "monitornohandle" doesn't work at my env too.

0 Karma

niemesrw
Path Finder

I think it has something to do with the file location - monitoring the dns.log file worked fine for us until we moved it to a different drive & directory. The default c:\windows\system32\dns worked fine with just regular file monitoring. I'm going to try the MonitorNoHandle and see if that works better in the new location.

0 Karma

sogeniusio
Path Finder

What was the verdict on this? Did it work in your environment?

0 Karma

woodcock
Esteemed Legend

Your configuration should work as-is but you should not use crcSalt= or you will get every log more than once (every time it rotates and gets a new name, all the contents will be indexed again). Maybe you are confused by the fact that when using monitorNoHandle on a file that already exists (as your does), Splunk does not index its current contents, but only new information that comes into the file as it gets written to.

0 Karma

s0mar
Explorer

1 of our 2 servers also has this in the stanza.

_TCP_ROUTING = SplunkServer

It is not working either.

0 Karma

cchitten
Path Finder

did you ever solve this?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...