Forum Discussion

AndrewX's avatar
AndrewX
Iron Contributor
May 31, 2019

OMS DNS Analytics solution - no data

Hello - I am trying to get DNS logs into Log Analytics and into Sentinel.   The Documentation here (https://docs.microsoft.com/en-us/azure/sentinel/connect-dns), says simply install OMS and check t...
azure monitor
microsoft sentinel
MattM2020's avatar
MattM2020
Copper Contributor
Dec 18, 2019

CliveWatson 

 

Hmm, when it says to reset the config or load the config page once in the portal, where, specifically, is it referring to?  I've done changes within the Overview > DNS Analytics > DNS Analytics Configuration section so if that is it, that's been done with no change in the lack of events coming in.

CliveWatson's avatar
CliveWatson
Former Employee
Dec 18, 2019

MattM2020 

yes it was that Config https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics#configuration  it may take 5-15 mins work.

If you have ZERO entries (i.e. these queries don't work)

 

DnsEvents

| sort by TimeGenerated

 

DnsEvents

| where SubType == 'LookupQuery'

 

Then can you check that the HeartBeat table is working for the specific DNS Servers (my DNS server is called DC01)?

 

Heartbeat
| where Computer startswith "DC01" 
| summarize oldest_ = min(TimeGenerated), latest_ = max(TimeGenerated) 
| extend diff_in_hours = datetime_diff( 'hour', todatetime(latest_), todatetime(oldest_) )

 

 

oldest_ latest_ diff_in_hours
2019-12-17T17:40:53.897Z 2019-12-18T17:40:08.81Z 23

 

 

 

  • SBI_Team's avatar
    SBI_Team
    Copper Contributor
    Dec 29, 2019

    CliveWatsonI have been 'enrolled' in the DNS Analytics preview for weeks but have never had any query events captured.

     

    I have events of type ConfigurationChange and DynamicRegistration only.

    I also have hearbeat from around a dozen Windows DCs running DNS.

     

    As per your suggestion I have made a configuration change in order to 'reset` the config. I have then waited for a while, done some web searches to obscure websites on a member server and waited for these to show up in Log Analytics - they have not.

     

     

    • Scott_Willmott's avatar
      Scott_Willmott
      Copper Contributor
      Feb 25, 2020

      Did anyone manage to find a solution to this? getting the exact same issue, 8 DNS servers enrolled, all showing active heartbeats, dynamicRegistration & Configuration Change events coming through fine, but no LookupQuery events ever occur. 

  • MattM2020's avatar
    MattM2020
    Copper Contributor
    Dec 18, 2019

    LA hasn't even created a DnsEvents table and so generates the following:

    '' operator: Failed to resolve table or column or scalar expression named 'DnsEvents'

    I assume this is because it hasn't received events coming in from DNS. 

     

    I have all of the following added in Advanced Settings\Data\Windows Event Logs in an attempt to get any DNS events coming in:

     

    DNS Server
		
DNS Server/Analytical
		
Microsoft-Windows-DNS-Client/Operational
		
Microsoft-Windows-DNS-Server/Analytical

     

    Heartbeats are showing fine and other data is coming in fine from that DC/DNS server .