Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the best way to collect all DNS queries by client and Responses sent back by a Windows 2012 DNS Server with a universal forwarder?

shafqat571
Explorer
‎11-18-2015 09:48 PM

We have Universal Forwarder installed on MS Windows 2012 DNS server.

what is best way to collect all the DNS queries by client and the Responses sent back by the DNS server.

Reply

adayton20
Contributor
‎01-25-2017 08:44 AM

You can also install and configure sysmon.

https://technet.microsoft.com/en-us/sysinternals/sysmon
http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/

The event code that would interest you is EventCode=3

You're also able to see which application is making the DNS query and any command line entries initiating the communication.

I'm using it on my home lab and have worked contracts in the past where customers were leveraging sysmon logs with Splunk. If you choose to use this option, make sure you filter events properly, both in the sysmon.xml config and in your inputs.conf (for Windows events) and/or prop.conf/transforms.conf for sending noisy events to a nullqueue. Ensure you test it first. Sysmon can generate an absurd amount of logs if not configured correctly.

0 Karma
Reply

dcharboneau_spl
Splunk Employee
Splunk Employee
‎12-23-2015 12:15 PM

I would leverage Splunk Stream to capture the DNS Traffic: https://splunkbase.splunk.com/app/1809/

Can be installed on a Network Tap or on the 2012 DNS Server directly with the UF.

Otherwise, you can use the builtin analytic logging for DNS and have the UF tail the file.

0 Karma
Reply

Lowell
Super Champion
‎01-25-2017 08:29 AM

FYI, I've been unable to ingest the the analytic logs using the traditional WinEventLog input method. Apparently this is a known (designed in) limitation on Microsoft's part that applies to all Analytic and Debugging logs.

When you attempt to ingest these logs, Splunk returns error MS Error code 15009. According to MSDN, "You cannot subscribe to an Analytic or Debug channel; the events for an Analytic or Debug channel go directly to a log file and cannot be subscribed to."

The Splunk Stream option sounds interesting. Does anyone know how complicated it would be to take that feed an make it CIM compliant with the goal of Enterprise Security integration.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...