Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Best of Both Worlds - Viewing DNS Analytic Logs Without Disabling Them
Published Nov 20 2019 12:46 PM 3,719 Views
Microsoft

 


The Problem

When attempting to view an enabled Analytical Log, you receive the following error:
 
Query Error - The requested operation cannot be performed over an enabled direct channel.  The channel must first be disabled before performing the requested operation.
BestOfBoth1.jpg
 
So I have to stop the Analytical Log collection so that I can view it?   That is a frustrating proposition, especially when you consider the importance of some of the logs.  In this case, I am looking at the DNS Server logs, where there may be no option to stop collection just to scan through them.  In this post, I'll give you an alternative to viewing the logs that will not require disabling them.  

 

Viewing the Logs with Message Analyzer

 

I am going to use Microsoft Message Analyzer, which is the successor to NetMon but contains much more functionality than just doing network captures.  It is also an Event Tracing for Windows (ETW) consumer, which is the functionality that we're going to use here.  LogMan and Tracelog are options as well but I prefer Message Analyzer since it can view the events as it collects them and it has an amazing filtering capability to help limit the results to just what you need to see. Message Analyzer can be downloaded from the following location: https://www.microsoft.com/en-us/download/details.aspx?id=44226 Let's fire up Message Analyzer and check out the logs.
  1. Select New Session to get started.BestOfBoth2.jpg
  2. From the New Session window, select Live Trace.
  3. Select the Add Providers button and select the Microsoft-Windows-DNSServer Provider from the list and click the Add To button and then click OK.Note:  The easiest way to find the DNS Provider is to use the search box at the top of the Providers list.BestOfBoth3.jpg
  4. Click the Start button to begin the capture.BestOfBoth4.jpg
  5. Depending on the speed of the system you are working on, it may take some time for events to start populating.  When they do, we are going to need to apply a filter to reduce the displayed events down to a manageable result.  The filtering within Message analyzer is actually where the power is.  There is a very extensive filtering engine within the product.  Enter the following text in the Filter box and Click Apply.
!Windows_Kernel_Trace and (*Summary contains("QUERY_RECEIVED") or (*Summary contains("RESPONSE_")))

 

The filtered events should now show only query and response events from the DNS Server Analytical event log.

 

BestOfBoth5.jpg

 

If you've never worked with Message Analyzer, there are controls at the top of the screen to control the capture.  You can let it run and accumulate, pause, or stop the capture. Pausing the capture will allow it to be restarted without losing the contents.  Stopping the capture and restarting it will erase the existing contents of the capture. From here, you can either save the results as they were captured or discard them.  All without stopping the ongoing collection of Analytical event logs for DNS.  
Version history
Last update:
‎Apr 29 2020 10:24 AM
Updated by: