Windows DNS analytical log Event Viewer EventID 261 first reply
| | | | |

Windows DNS logging

Preface Windows DNS logging is NOT our recommended method to collect DNS request and reply transaction for continuous security monitoring. However, sometimes we do not have an option, especially when Windows DNS debug/analytics log is the only available data source during IR investigation. In the first part of this post, we will discuss the Windows…

Splunk garbled characters after import eventlog evtx using incorrect sourcetype
| | |

Import EventLog into Splunk

As Splunk also use native Windows API to process the exported evtx file, you must use a Windows machine with Splunk installed (either Universal Forwarder or any full Splunk instance including All-in-one Splunk instance or Heavy forwarder instance) to process the evtx file. In other word, the inputs.conf should be deployed or defined on a windows machine in order to successfully import EventLog/Sysmon Event Log into Splunk. You will need to use the sourcetype preprocess-winevt. If you do not explicit define it, Splunk will display garbled characters after import EventLog evtx file. You can find the working version of inputs.conf below