Monday, January 12, 2015

ms dns debug logs to splunk

 
 yeah.  so you want to send dns debug logs to splunk so you can figure out who is 
 checking out redpepper.  that's a hot site! 
 
 well.  you can really forward them to any syslog server using the below, but splunk is my syslog 
 aggregator of choice.  plus it uses nice fonts and has pretty graphs and runs on ubuntu.
   
 follow the instructions here:  
 http://stratumsecurity.com/2012/07/03/splunk-security/  
   
 Your DNS logs will undoubledly go here:  
 C:\WINDOWS\system32\dns  
   
 And no worries about your logs rotating or any sillines, the max byte size is default 500M; after that the 
 log resets itself.  
   
 ...  
   
 if you're using splunk free, like me, you'll eventually figure out that you cannot use the splunk forwarder 
 to forward to your  splunk server.  you'll try to enable splunktcp:9997 in inputs.conf on your splunk server. 
 but the daemon won't listen. you'll try another port only to be met with frustration.  
   
 you might even try forwarding to syslog, but you'll see:  
 _linebreaker\x00\x00"  
   
 that means that data is raw splunk data.  
 http://answers.splunk.com/answers/10346/splunk-is-adding-weird-strings-like-linebreaker-x00-x00-to-my-events-what-is-going-on.html  
   
 that's a super raw deal. but, you're smart and motivated and everyone at work knows you're plain 
 awesome. yeah. right.
    
 so, your awesome self uses this:  
 http://www.syslogserver.com/syslogagent.html  
   
 the datagram syslog agent is fairly straightforward.  
 * udp transport, syslog server and port (conf'd for splunk)  
 * check enable forwarding of appl logs.  
 * edit application  
 - application name: dns debug  
 - specific file (static): C:\WINDOWS\system32\dns\dns.log  
 - syslog protocol conformity:   
 - parse date/time  
 - parse host  
 - use name "dns debug"  
   
 ...  
   
 head to your splunk console and check for  
 "dns debug"  
   
 Jan 12 14:11:58 dns.server Jan 12 14:12:03 valeriano dns debug[info] 20150112 8D58 PACKET 0229A720 
 UDP Rcv 10.10.10.10  6ea9 Q [0001  D  NOERROR] A   (4)redpepper(0)   
  
 here's looking at you 10.10.10.10.
 
Post a Comment