May 31 2019
09:39 PM
- last edited on
Apr 07 2022
05:50 PM
by
TechCommunityAP
May 31 2019
09:39 PM
- last edited on
Apr 07 2022
05:50 PM
by
TechCommunityAP
Hello - I am trying to get DNS logs into Log Analytics and into Sentinel.
The Documentation here (https://docs.microsoft.com/en-us/azure/sentinel/connect-dns), says simply install OMS and check the DnsEvent table, i did, nothing's there.. PS. It's been many days, and nothing is there.
Side Note: I have packetbeat installed successfully capturing DNS logs without DNS Diagnostic Logging enabled.
Jun 03 2019 08:48 AM
Generally after you put the agent on the Windows Server that is running DNS, you will get the logs.
Is this the first time you've used Log Analytics - if not, do you have other data sources that are working (this can rule out proxy/firewall issues)?
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows
Did you "Verify agent connectivity to Log Analytics" as per the above link?
https://docs.microsoft.com/en-us/services-hub/health/troubleshooting_mma_agent
Dec 18 2019 08:10 AM
I'm actually experiencing the same issue. Enabled the collection about 18 hours ago and nothing is coming in to Log Analytics. My connectivity is working properly and other events come in properly but nothing for DNS.
Dec 18 2019 08:50 AM
Hmm, when it says to reset the config or load the config page once in the portal, where, specifically, is it referring to? I've done changes within the Overview > DNS Analytics > DNS Analytics Configuration section so if that is it, that's been done with no change in the lack of events coming in.
Dec 18 2019 09:42 AM
yes it was that Config https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics#configuration it may take 5-15 mins work.
If you have ZERO entries (i.e. these queries don't work)
DnsEvents
| sort by TimeGenerated
DnsEvents
| where SubType == 'LookupQuery'
Then can you check that the HeartBeat table is working for the specific DNS Servers (my DNS server is called DC01)?
Heartbeat
| where Computer startswith "DC01"
| summarize oldest_ = min(TimeGenerated), latest_ = max(TimeGenerated)
| extend diff_in_hours = datetime_diff( 'hour', todatetime(latest_), todatetime(oldest_) )
oldest_ | latest_ | diff_in_hours |
---|---|---|
2019-12-17T17:40:53.897Z | 2019-12-18T17:40:08.81Z | 23 |
Dec 18 2019 09:57 AM
LA hasn't even created a DnsEvents table and so generates the following:
'' operator: Failed to resolve table or column or scalar expression named 'DnsEvents'
I assume this is because it hasn't received events coming in from DNS.
I have all of the following added in Advanced Settings\Data\Windows Event Logs in an attempt to get any DNS events coming in:
DNS Server
DNS Server/Analytical
Microsoft-Windows-DNS-Client/Operational
Microsoft-Windows-DNS-Server/Analytical
Heartbeats are showing fine and other data is coming in fine from that DC/DNS server .
Dec 29 2019 04:41 AM
@CliveWatsonI have been 'enrolled' in the DNS Analytics preview for weeks but have never had any query events captured.
I have events of type ConfigurationChange and DynamicRegistration only.
I also have hearbeat from around a dozen Windows DCs running DNS.
As per your suggestion I have made a configuration change in order to 'reset` the config. I have then waited for a while, done some web searches to obscure websites on a member server and waited for these to show up in Log Analytics - they have not.
Feb 25 2020 09:37 AM
Did anyone manage to find a solution to this? getting the exact same issue, 8 DNS servers enrolled, all showing active heartbeats, dynamicRegistration & Configuration Change events coming through fine, but no LookupQuery events ever occur.
Feb 25 2020 11:00 AM
There is a similar thread here: https://github.com/MicrosoftDocs/azure-docs/issues/35061
Jun 14 2020 06:16 AM - edited Jun 14 2020 06:40 AM
Anyone gotten this to work? I cannot get it to work (LA shows a connection to the computer, running Server 2019, so it's a DNS connector issue). Last post on the github referenced before me also shows no resolution. Definitely have DNS analytic logs enabled and logging is happening locally. Other sources such as Security Events are showing up.
Edit: It is working now, after I removed the connector yet again, then changed the config to one setting and then changed config again and saved it. Obviously there is something buggy here, but it seems to have gotten events in now...
Oct 08 2020 11:45 PM