Long story short, I'm trying to log DNS queries (query name/FQDN and requesting host's IP) into Splunk so I can see which hosts try to resolve which FQDN's, and am trying to accomplish this via native DNS logging on Windows Server 2012 (not debug logging because it could break the DNS servers due to high traffic volume). Below is more detail/context:
I've deployed the full App for Windows Infrastructure across Splunk Enterprise as directed. There is a Domain Controller (serving DNS) running on Windows Server 2012 with the Audit and analytic event logging enabled, and I've deployed the TA_windows and TA_microsoft_dns add-ons to that server. I'm seeing DNS events coming through on the search heads, but can't find any events with actual DNS lookups (e.g., FQDN query and requesting IP) which is all I really care about for now. So, is the TA_microsoft_dns even able to grab this level of detail? Is the native Windows Server 2012 DNS logging able to do this? Per TechNet (link below) on 2012 DNS logging, I think event ID's 257-259 would contain this detail, so maybe the Server's DNS logging hasn't been setup appropriately?
Has anyone done this successfully that could help guide me through this? For more context, I've tried using Splunk Stream, but apparently the DNS server volume is too high and the Universal Forwarder can't keep up with Stream's packet capture (~10k DNS queries per second), even with maxKBs set to '0' in the limits.conf file. Thanks in advance for help anyone can offer.
TechNet Article on 2012 logging: technet.microsoft.com/en-us/library/dn800669.aspx
... View more