DNS Troubleshooting
If the DNS event sources experience an error, the event source icon will turn to a yellow warning or red failure. Moving the mouse over the icon will reveal the details of the error. Typical errors of this sort are failure to connect to the server, bad credentials, or failure to find the file or folder configured in the event source.
Use one of the following to help solve the problem:
- Common Solutions
- Microsoft DNS Log File has 0 Bytes
- Error: It has been at least 120 minutes since the last event
Common Solutions
Sometimes the DHCP and DNS event sources might not be reading any logs even if they don't show a warning or error. In this situation, try the following tests.
- Can you connect to the DHCP or DNS server file share when you log on to the machine running the InsightIDR collector?
- Is there a typo in the file pattern in the DHCP configuration? If the file pattern is wrong, none of the files in the directory will match.
- Has srv.sys been set to start on demand on the server? Srv.sys should be set to start on demand. For more information, please read this link: https://social.technet.microsoft.com/wiki/contents/articles/21104.best-practices-analyzer-srv-sys-should-be-set-to-start-on-demand.aspx
Microsoft DNS Log File has 0 Bytes
It appears in some cases, whenever a log file needs to roll over, the old file cannot be deleted because the collector has it open. There is an article that discusses the issue here: https://nxlog.co/disappearing-windows-dns-debug-log.
To temporarily fix this issue:
- Configure a DNS event source using Watch Directory
- Optionally enable log file deletion
Error: It has been at least 120 minutes since the last event
The DNS event source sometimes can stop working and produce the above error.
However, the error is false because the dns log has not stopped logging. The log file can be opened from the collector, so there is no apparent reason for the error. A review of the collector.log may show the following error: Read already in progress, consider increasing scan interval
To fix this error and to allow the collector to read the file again:
- Check the collector.log. Start at the bottom of the log and search upwards for the DNS server name, and look for the following line:
FILE READ: smb://DNSServerNameHere/ShareName/dnsdebug.log [176748106 -> 176837156, Bytes Read: 89050]
If the file contains errors, an indication that the log is not being read, or the "read already in progress" messages, complete the following in order:
- Verify that an antivirus software has not locked the file. The folder where the log is located should be excluded from being scanning by AV software.
- When configuring debug logging on the DNS server, there is an option to configure a large file size before it can "roll over." If the file becomes very large before it rolls over, decrease the log file size.
- Reboot the collector/restart the Rapid7 Collector service.
- Restart the DNS Server service.
- Reboot the DNS server.
- Delete the event source and recreate it.
Once the log is readable to the collector, you do not need to complete any additional steps. If the error persists, please contact Rapid7 for Support.