Hello,
I've setup the dns.log debug logs to input into Splunk AD App and I'm getting the information but its intermittent. I'm not sure why. I see:
06-04-2013 19:50:16.218 -0400 INFO WatchedFile - Will begin reading at offset=327615930 for file='C:WindowsSystem32Dnsdns.log'.
But yet I get no data. I occasionally see on my indexer:
06-04-2013 09:21:34.198 -0700 WARN DateParserVerbose - A possible timestamp match (Tue Jun 4 09:21:31 2013) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source::C:WindowsSystem32Dnsdns.log|host::dns2|MSAD:NT6:DNS|remoteport::57204
I suspect that is just related to the massive header in the dns.log file but I may be wrong. I noticed that crcSalt wasnt present but adding that didnt seem to help. Any suggestions?
inputs.conf:
[monitor://C:WindowsSystem32Dnsdns.log]
sourcetype=MSAD:NT6:DNS
disabled=false
index=win-ad-dns-debug
crcSalt = <source>