On a Windows 2008 domain controller, DNS debug logging enabled, so that queries can be captured by Splunk. The DNS debug log is called "D:\dns-log\dns-log.txt"
That file is being monitored by Splunk and it successfully is added to Splunk indexer.
Problem:
This log file keeps disappearing from its host after some number of hours or days.
If we restart the Microsoft DNS service, the log file is recreated and Splunk resumes indexing, minus the lost period of time when the file was missing.
Is there any way that the Splunk Universal Forwarder could be causing the file to be deleted?
I have not yet enabled Windows file auditing because that is quite resource intensive on the host.
... View more