Getting Data In

What is the best way to collect all DNS queries by client and Responses sent back by a Windows 2012 DNS Server with a universal forwarder?

shafqat571
Explorer

We have Universal Forwarder installed on MS Windows 2012 DNS server.

what is best way to collect all the DNS queries by client and the Responses sent back by the DNS server.

adayton20
Contributor

You can also install and configure sysmon.

https://technet.microsoft.com/en-us/sysinternals/sysmon
http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/

The event code that would interest you is EventCode=3

You're also able to see which application is making the DNS query and any command line entries initiating the communication.

I'm using it on my home lab and have worked contracts in the past where customers were leveraging sysmon logs with Splunk. If you choose to use this option, make sure you filter events properly, both in the sysmon.xml config and in your inputs.conf (for Windows events) and/or prop.conf/transforms.conf for sending noisy events to a nullqueue. Ensure you test it first. Sysmon can generate an absurd amount of logs if not configured correctly.

0 Karma

dcharboneau_spl
Splunk Employee
Splunk Employee

I would leverage Splunk Stream to capture the DNS Traffic: https://splunkbase.splunk.com/app/1809/

Can be installed on a Network Tap or on the 2012 DNS Server directly with the UF.

Otherwise, you can use the builtin analytic logging for DNS and have the UF tail the file.

0 Karma

Lowell
Super Champion

FYI, I've been unable to ingest the the analytic logs using the traditional WinEventLog input method. Apparently this is a known (designed in) limitation on Microsoft's part that applies to all Analytic and Debugging logs.

When you attempt to ingest these logs, Splunk returns error MS Error code 15009. According to MSDN, "You cannot subscribe to an Analytic or Debug channel; the events for an Analytic or Debug channel go directly to a log file and cannot be subscribed to."

The Splunk Stream option sounds interesting. Does anyone know how complicated it would be to take that feed an make it CIM compliant with the goal of Enterprise Security integration.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...