OMS DNS Analytics solution - no data

Frequent Contributor

Hello - I am trying to get DNS logs into Log Analytics and into Sentinel.

 

The Documentation here (https://docs.microsoft.com/en-us/azure/sentinel/connect-dns), says simply install OMS and check the DnsEvent table, i did, nothing's there..  PS.  It's been many days, and nothing is there.

 

  • Although the documentation does not specify, but does DNS diagnostic logging need to be enabled for this to work?
  • And if so, does that mean a custom log and data collection need to be configured for \path\to\dns.log?

 

Side Note:  I have packetbeat installed successfully capturing DNS logs without DNS Diagnostic Logging enabled.

 

11 Replies

@AndrewX 

 

Generally after you put the agent on the Windows Server that is running DNS, you will get the logs.

Annotation 2019-06-03 163934.jpg

 

Is this the first time you've used Log Analytics - if not, do you have other data sources that are working (this can rule out proxy/firewall issues)?

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows

Did you "Verify agent connectivity to Log Analytics" as per the above link?


https://docs.microsoft.com/en-us/services-hub/health/troubleshooting_mma_agent

 

@CliveWatson 

 

I'm actually experiencing the same issue.  Enabled the collection about 18 hours ago and nothing is coming in to Log Analytics.  My connectivity is working properly and other events come in properly but nothing for DNS.

@CliveWatson 

 

Hmm, when it says to reset the config or load the config page once in the portal, where, specifically, is it referring to?  I've done changes within the Overview > DNS Analytics > DNS Analytics Configuration section so if that is it, that's been done with no change in the lack of events coming in.

@MattM2020 

yes it was that Config https://docs.microsoft.com/en-us/azure/azure-monitor/insights/dns-analytics#configuration  it may take 5-15 mins work.

If you have ZERO entries (i.e. these queries don't work)

 

DnsEvents

| sort by TimeGenerated

 

DnsEvents

| where SubType == 'LookupQuery'

 

Then can you check that the HeartBeat table is working for the specific DNS Servers (my DNS server is called DC01)?

 

Heartbeat
| where Computer startswith "DC01" 
| summarize oldest_ = min(TimeGenerated), latest_ = max(TimeGenerated) 
| extend diff_in_hours = datetime_diff( 'hour', todatetime(latest_), todatetime(oldest_) )

 

 

oldest_ latest_ diff_in_hours
2019-12-17T17:40:53.897Z 2019-12-18T17:40:08.81Z 23

 

 

 

LA hasn't even created a DnsEvents table and so generates the following:

'' operator: Failed to resolve table or column or scalar expression named 'DnsEvents'

I assume this is because it hasn't received events coming in from DNS. 

 

I have all of the following added in Advanced Settings\Data\Windows Event Logs in an attempt to get any DNS events coming in:

 

DNS Server
		
DNS Server/Analytical
		
Microsoft-Windows-DNS-Client/Operational
		
Microsoft-Windows-DNS-Server/Analytical
		

 

Heartbeats are showing fine and other data is coming in fine from that DC/DNS server .

@CliveWatsonI have been 'enrolled' in the DNS Analytics preview for weeks but have never had any query events captured.

 

I have events of type ConfigurationChange and DynamicRegistration only.

I also have hearbeat from around a dozen Windows DCs running DNS.

 

As per your suggestion I have made a configuration change in order to 'reset` the config. I have then waited for a while, done some web searches to obscure websites on a member server and waited for these to show up in Log Analytics - they have not.

 

 

Did anyone manage to find a solution to this? getting the exact same issue, 8 DNS servers enrolled, all showing active heartbeats, dynamicRegistration & Configuration Change events coming through fine, but no LookupQuery events ever occur. 

Anyone gotten this to work? I cannot get it to work (LA shows a connection to the computer, running Server 2019, so it's a DNS connector issue). Last post on the github referenced before me also shows no resolution. Definitely have DNS analytic logs enabled and logging is happening locally. Other sources such as Security Events are showing up.

 

Edit: It is working now, after I removed the connector yet again, then changed the config to one setting and then changed config again and saved it. Obviously there is something buggy here, but it seems to have gotten events in now...

We spent days and days to work out what the issue may be and ended up raising an incident with Microsoft. We already went through steps that are described in this page but nothing worked.

Out of no where I decided to use Firefox (instead of Chrome) and voila! I can see DNSEvents in Log Analytics, I can see Configure option and Dashboard too. I asked my colleague to try Edge and that worked too.

I am writing this response to thank everyone for their guidance and with a hope that my response may also help someone.