yeah. so you want to send dns debug logs to splunk so you can figure out who is checking out redpepper. that's a hot site! well. you can really forward them to any syslog server using the below, but splunk is my syslog aggregator of choice. plus it uses nice fonts and has pretty graphs and runs on ubuntu. follow the instructions here: http://stratumsecurity.com/2012/07/03/splunk-security/ Your DNS logs will undoubledly go here: C:\WINDOWS\system32\dns And no worries about your logs rotating or any sillines, the max byte size is default 500M; after that the log resets itself. ... if you're using splunk free, like me, you'll eventually figure out that you cannot use the splunk forwarder to forward to your splunk server. you'll try to enable splunktcp:9997 in inputs.conf on your splunk server. but the daemon won't listen. you'll try another port only to be met with frustration. you might even try forwarding to syslog, but you'll see: _linebreaker\x00\x00" that means that data is raw splunk data. http://answers.splunk.com/answers/10346/splunk-is-adding-weird-strings-like-linebreaker-x00-x00-to-my-events-what-is-going-on.html that's a super raw deal. but, you're smart and motivated and everyone at work knows you're plain awesome. yeah. right. so, your awesome self uses this: http://www.syslogserver.com/syslogagent.html the datagram syslog agent is fairly straightforward. * udp transport, syslog server and port (conf'd for splunk) * check enable forwarding of appl logs. * edit application - application name: dns debug - specific file (static): C:\WINDOWS\system32\dns\dns.log - syslog protocol conformity: - parse date/time - parse host - use name "dns debug" ... head to your splunk console and check for "dns debug" Jan 12 14:11:58 dns.server Jan 12 14:12:03 valeriano dns debug[info] 20150112 8D58 PACKET 0229A720 UDP Rcv 10.10.10.10 6ea9 Q [0001 D NOERROR] A (4)redpepper(0) here's looking at you 10.10.10.10.