Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the best way to collect all DNS queries by client and Responses sent back by a Windows 2012 DNS Server with a universal forwarder?

shafqat571
Explorer
‎11-18-2015 09:48 PM

We have Universal Forwarder installed on MS Windows 2012 DNS server.

what is best way to collect all the DNS queries by client and the Responses sent back by the DNS server.

Reply

adayton20
Contributor
‎01-25-2017 08:44 AM

You can also install and configure sysmon.

https://technet.microsoft.com/en-us/sysinternals/sysmon
http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/

The event code that would interest you is EventCode=3

You're also able to see which application is making the DNS query and any command line entries initiating the communication.

I'm using it on my home lab and have worked contracts in the past where customers were leveraging sysmon logs with Splunk. If you choose to use this option, make sure you filter events properly, both in the sysmon.xml config and in your inputs.conf (for Windows events) and/or prop.conf/transforms.conf for sending noisy events to a nullqueue. Ensure you test it first. Sysmon can generate an absurd amount of logs if not configured correctly.

0 Karma
Reply

dcharboneau_spl
Splunk Employee
Splunk Employee
‎12-23-2015 12:15 PM

I would leverage Splunk Stream to capture the DNS Traffic: https://splunkbase.splunk.com/app/1809/

Can be installed on a Network Tap or on the 2012 DNS Server directly with the UF.

Otherwise, you can use the builtin analytic logging for DNS and have the UF tail the file.

0 Karma
Reply

Lowell
Super Champion
‎01-25-2017 08:29 AM

FYI, I've been unable to ingest the the analytic logs using the traditional WinEventLog input method. Apparently this is a known (designed in) limitation on Microsoft's part that applies to all Analytic and Debugging logs.

When you attempt to ingest these logs, Splunk returns error MS Error code 15009. According to MSDN, "You cannot subscribe to an Analytic or Debug channel; the events for an Analytic or Debug channel go directly to a log file and cannot be subscribed to."

The Splunk Stream option sounds interesting. Does anyone know how complicated it would be to take that feed an make it CIM compliant with the goal of Enterprise Security integration.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...