Education
Abstract
How to collect DNS Analytic logs using WinCollect: Configure Windows to collect analytic logs and add an XPath to the Agent log source to collect the logs.
Content
Collecting DNS Analytic Logs (XPath)
To configure Windows to collect DNS Server analytic logs you must perform the following steps in the Event Viewer:Note: If the DNS server is running Windows Server 2012 R2, download the hotfix from, Update adds query logging and change auditing to Windows DNS servers
-
Type eventvwr.msc at an elevated command prompt and press ENTER to open Event Viewer.
-
In Event Viewer, navigate to Applications and Services Logs\Microsoft\Windows\DNS-Server.
-
Right-click DNS-Server, point to View, and then click Show Analytic and Debug Logs. The Analytical log will be displayed.
-
Right-click Analytical and then click Properties.
-
Under When maximum event log size is reached, choose Do not overwrite events (Clear logs manually), select the Enable logging checkbox, and click OK when you are asked if you want to enable this log. See the following example.
CAUTION: Step 5 is very important, if you do not configure this the WinCollect agent will not be able to collect the Analytical log. This is a limitation due to the logs being stored in etl format. You will see this in the debug logs if this step is not performed:
01-15 11:03:05.317 DEBUG Device.WindowsLog.W2K8.localhost.XPath : Error subscribing to <QueryList><Query Id="1" Path="Security"><Select Path="Microsoft-Windows-DNSServer/Analytical">*[System[Provider[@Name='Microsoft-Windows-DNSServer']]] and *[System[TimeCreated[@SystemTime > '2019-01-15T18:03:00.210645675Z']]]</Select></Query></QueryList> -- Error code 15022: The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.
Microsoft explains this error here: Error when enabling Analytic or Debug event logWARNING: You will need to manually clear the Analytical log and restart the WinCollect agent when the event log is full. As previously mentioned, this is a limitation due to the logs being stored in etl format.
-
Click OK again to enable the DNS Server Analytic event log. By default, analytic logs are written to the file:
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl.
Add XPath to WinCollect Agent
<QueryList> <Query Id="0" Path="Microsoft-Windows-DNSServer/Analytical">
<Select Path="Microsoft-Windows-DNSServer/Analytical">*</Select> </Query> </QueryList>
Was this topic helpful?
Document Information
Modified date:
17 February 2021
UID
ibm10795576