LogLogic Microsoft Domain Name System (DNS) Log Configuration Guide Document Release: September 2011 Part Number: LL600027-00ELS090000 This manual supports LogLogic Microsoft DNS Release 1.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.
2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA 95134 Tel: +1 408 215 5900 Fax: +1 408 774 1752 U.S. Toll Free: 888 347 3883 http://www.loglogic.com
Contents Preface About This Guide........................................................ 5 Technical Support....................................................... 5 Documentation Support.................................................... 5 Conventions............................................................ 6 Chapter 1 Configuring LogLogic s Microsoft DNS Log Collection Introduction to Microsoft DNS.............................................. 7 Prerequisites........................................................... 7 Configuring Microsoft DNS................................................ 8 Installing and Configuring Project Lasso................................... 9 Enabling the LogLogic Appliance to Capture Log Data........................... 9 Automatically Identifying a Microsoft DNS Device............................ 9 Adding a Microsoft DNS Device......................................... 10 Verifying the Configuration............................................... 11 Chapter 2 How LogLogic Supports Microsoft DNS How LogLogic Captures Microsoft DNS Log Data............................. 12 Supported Microsoft DNS Operational s................................ 13 LogLogic Real-Time Reports.............................................. 13 LogLogic Search Filters.................................................. 13 Chapter 3 Troubleshooting and FAQ Troubleshooting........................................................ 15 Frequently Asked Questions.............................................. 16 Appendix A Reference LogLogic Support for Microsoft DNS s.................................. 17 Microsoft DNS Log Configuration Guide 3
4 Microsoft DNS Log Configuration Guide
Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. LogLogic support for Microsoft DNS enables LogLogic Appliances to capture logs from machines running Microsoft DNS. Once the logs are captured and parsed, you can generate reports and create alerts on Microsoft DNS operations. For more information on creating reports and alerts, see the LogLogic Users Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free 1-800-957-LOGS Local 1-408-834-7480 EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: support@loglogic.com You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. When contacting Customer Support, be prepared to provide: Your name, email address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send e-mail to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Microsoft DNS Log Configuration Guide 5
Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as file names, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Microsoft DNS Log Configuration Guide
Chapter 1 Configuring LogLogic s Microsoft DNS Log Collection This chapter describes configuration steps that enable a LogLogic Appliance to capture Microsoft DNS logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft DNS log data. Introduction to Microsoft DNS................................................ 7 Prerequisites............................................................. 7 Configuring Microsoft DNS.................................................. 8 Enabling the LogLogic Appliance to Capture Log Data............................. 9 Verifying the Configuration.................................................. 11 Introduction to Microsoft DNS LogLogic enables you to capture operational event log data to monitor Microsoft DNS Server events. Microsoft DNS operational events record information related to DNS server Startup, Shutdown, and Restart, as well as DNS server configuration changes and status information. Microsoft DNS operational logs are captured by LogLogic s open source Windows Collector, Project Lasso. The Windows Collector can run in one of the following modes, Agent Mode, Collector Mode, or both (i.e., a hybrid mode). Regardless of the mode used, all collected logs are forwarded to the LogLogic Appliance using Syslog via UDP or TCP. The configuration procedures for Microsoft DNS and the LogLogic Appliance depend upon your environment and how the Windows Collector is configured. For more information, see How LogLogic Captures Microsoft DNS Log Data on page 12 and the LogLogic Windows Collector Guide (Project Lasso). Prerequisites Prior to configuring Microsoft DNS and the LogLogic Appliance, ensure that you meet the following prerequisites: Microsoft DNS running on Windows Server 2000 SP3 or 2003 SP1 Administrative access on the Windows server Project Lasso Release 4.0 or later installed on the Windows server. For more information, see the LogLogic Windows Collector Guide (Project Lasso). LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft DNS Server support Administrative access on the LogLogic Appliance Microsoft DNS Log Configuration Guide 7
Configuring Microsoft DNS Logging is configured by default on a Microsoft DNS server. Make sure that your configuration matches the one described in the following steps. To enable Microsoft DNS server logging: 1. Log in to the Microsoft DNS server. 2. From the Windows Start menu, select Settings > Control Panel. 3. Double-click Administrative Tools. 4. Double-click DNS. The DNS console appears. 5. Expand the tree on the left, and select the applicable DNS server from the list. 6. On the Action menu, click Properties. 7. On the Logging tab, select the All events radio button. 8. Click OK. Figure 1 DNS Console 8 Microsoft DNS Log Configuration Guide
Installing and Configuring Project Lasso The Microsoft DNS logs are collected and transported using Project Lasso. Project Lasso is used to collect and transfer Windows logs to the LogLogic Appliance. By default, the Project Lasso program directory is located at: C:\Program Files\Lasso Project Lasso spools log messages if the connection to the Appliance is temporarily lost. By default, the following directory contains all spooled log messages: C:\Program Files\Lasso\LassoRepository\Spool You can change the host machine and event log identification information by editing the hostlist.ini configuration file in Project Lasso. You can change the spool log location and other Lasso monitoring parameters by editing the Lasso.ini file. For the complete installation and configuration procedures for Project Lasso, including information on the Lasso.ini and hostlist.ini files, see the LogLogic Windows Collector Guide (Project Lasso). Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture Microsoft DNS log data. Automatically Identifying a Microsoft DNS Device With the auto-identification feature, the LogLogic Appliance recognizes Microsoft DNS events by default using the Syslog Listener. As the Syslog messages come into the Appliance, they are automatically identified and a new Microsoft DNS device type is added to the log source device list. Default values are used for certain properties, such as the device name. To enable auto-identification in the LogLogic Appliance: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Administration > System Settings. The General tab appears. 3. For Auto-identify Log Sources, select Yes. 4. Click Update. Once the automatically identified device is added, you can edit its properties. IMPORTANT! Do not change the auto-identified Device Type and Host IP information. To edit an existing Microsoft DNS device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click on an existing Microsoft DNS device in the list and click Modify Device. The Modify Device tab appears. 4. Edit the device fields as needed, then click Update Device. Microsoft DNS Log Configuration Guide 9
Adding a Microsoft DNS Device If you do not want to utilize the auto-identification feature, you can manually add a Microsoft DNS device to the LogLogic Appliance before you redirect the logs. IMPORTANT! LogLogic highly recommends using the auto-identification feature for all supported devices. If you want to add devices manually, make sure that the Auto-identify Log Sources setting is not enabled on the LogLogic Appliance. If the auto-identification setting is enabled and you manually add devices, duplicate device entries might appear on the Appliance. To add Microsoft DNS as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. Figure 2 Adding a Device to the LogLogic Appliance 4. Type in the following information for the device: Name Name for the Microsoft DNS device Description (optional) Description of the Microsoft DNS device Device Type Select Microsoft DNS from the drop-down menu Host IP IP address of the Microsoft DNS appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. 5. Click Add. 10 Microsoft DNS Log Configuration Guide
6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Microsoft DNS server, the LogLogic Appliance uses the device you just added if the hostname or IP match. Verifying the Configuration The section describes how to verify that the configuration changes made to Microsoft DNS and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP address for each Microsoft DNS device. If the device name (Microsoft DNS) appears in the list of devices, then the configuration is correct. If the device does not appear in the Log Source Status tab, check the Microsoft DNS logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Microsoft DNS configuration, the Project Lasso configuration, and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Microsoft DNS by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time Reports on page 13. If the device name appears in the list of devices but event data for the device is not appearing within your reports, see Troubleshooting on page 15 for more information. Microsoft DNS Log Configuration Guide 11
Chapter 2 How LogLogic Supports Microsoft DNS This chapter describes LogLogic s support for Microsoft DNS. LogLogic enables you to capture operational log data to monitor Microsoft DNS events. How LogLogic Captures Microsoft DNS Log Data................................ 12 Supported Microsoft DNS Operational s................................... 13 LogLogic Real-Time Reports................................................ 13 LogLogic Search Filters.................................................... 13 How LogLogic Captures Microsoft DNS Log Data LogLogic s Windows Collector, Project Lasso, is used to collect Microsoft DNS operational logs stored in Windows System Log. The Windows Collector is an open source application developed by LogLogic to collect and forward Windows event logs in syslog format to the LogLogic Appliance. If the Windows Collector is in Agent Mode, logs are collected and forwarded from the Windows system where it is installed. If the Windows Collector is in Collector Mode, logs are collected and forwarded from Windows systems other than the system where it is installed. The Windows Collector can also run in both modes at the same time. In hybrid mode, the collector captures and forwards messages from the Windows machine where it is installed and from other Windows systems it is configured to access. Regardless of the mode used, all collected logs are forwarded to the LogLogic Appliance s Syslog Listener via UDP or TCP. Figure 3 Microsoft DNS Server and Project Lasso with LogLogic Appliance Components and Processes Once the data is captured and parsed, you can generate reports. In addition, you can create alerts to notify you of issues on Microsoft DNS. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Note: When a log file is transferred, each file contains a timestamp which consists of a date and time. The timestamp refers to the file creation date and time for a particular message in the file. For a listing of LogLogic supported date and time formats, see the LogLogic Administration Guide. 12 Microsoft DNS Log Configuration Guide
Supported Microsoft DNS Operational s Microsoft DNS related operational events are recorded in the Windows System Log. This includes, by default, major activities that potentially affect the operating system (e.g., Microsoft DNS server startup, shutdown, errors, and change of configuration options). Table 1 on page 18 lists the Microsoft DNS operational events that are supported by the LogLogic Appliance. Note: The LogLogic Appliance captures all messages from the Microsoft DNS logs, but includes only specific messages for report/alert generation. For more information see Appendix A Reference on page 17 for sample log messages for each event and event to category mapping. LogLogic Real-Time Reports LogLogic provides pre-configured Real-Time Reports for Microsoft DNS log data. The following Real-Time Reports are available: All Unparsed s Displays data for all events retrieved from the Microsoft DNS log for a specified time interval To access LMI 4 Real-Time Reports: 1. In the left navigation pane, click Real-Time Reports. 2. Click Logs. The following Real-Time Report is available: All Unparsed s To access LMI 5 Real-Time Reports: 1. In the top navigation pane, click Reports. 2. Click Operational. The following Real-Time Report is available: All Unparsed s You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. LogLogic Search Filters LogLogic provides pre-configured Search Filters for Microsoft DNS log data. Search Filters are used to filter report data and create alerts. To access Search Filters: 1. From the navigation menu, select Search. 2. Select Search Filters. The following Search Filters are available: Microsoft DNS Log Configuration Guide 13
Microsoft DNS: Availability Report Displays details on Microsoft DNS starting and shutdown related errors or status messages Microsoft DNS: Capacity Management Displays details on messages related to disk space or memory Microsoft DNS: Configuration Changes Displays details on Microsoft DNS configuration changes Microsoft DNS: Critical Errors Displays details on Microsoft DNS critical errors Microsoft DNS: Security s Displays all Microsoft DNS security events Microsoft DNS: Server Start/Stop Displays details on DNS server start and stop activities Microsoft DNS: System Health Displays details on Microsoft DNS system health information For more information on Search Filters, reports, and alerts see the LogLogic User Guide and LogLogic Online Help. 14 Microsoft DNS Log Configuration Guide
Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting regarding the configuration and/or use of log collection for Microsoft DNS. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Troubleshooting.......................................................... 15 Frequently Asked Questions................................................ 16 Troubleshooting Is your version of Microsoft DNS supported? For more information, see Prerequisites on page 7. Is your LogLogic Appliance running Release 5.1 or later? If you are running an release prior to 5.1, you will require an upgrade. Contact LogLogic Support for more information. Are you running Project Lasso 4.0 or later? If you are running an release prior to 4.0, you might require an upgrade. Contact LogLogic Support for more information. Is the appropriate Log Source Package (LSP) installed properly? Check to make sure that the LSP that is installed includes support for Microsoft DNS. Also make sure that the package was installed successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package Release Notes. If Microsoft DNS events are not appearing on the LogLogic Appliance... You can verify that your log files are received by viewing the File Transfer History. You can view the history from the Administration > File Transfer History tab. Make sure that you have properly installed and configured Project Lasso, and the no errors are present in Lasso s error log (LassoTrace.log). For more information, see the LogLogic Windows Collector Guide (Project Lasso). Also make sure that the Appliance is properly auto-identifying the device. If not, then try to add the device to the Appliance manually. For more information, see Automatically Identifying a Microsoft DNS Device on page 9 and Adding a Microsoft DNS Device on page 10. If events are not displaying on the LogLogic Appliance even after configuring Microsoft DNS and Project Lasso correctly... Microsoft DNS sends the logs, via UDP or TCP, in Syslog format to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on the Microsoft DNS machine. For more information on supported protocols and ports, see the LogLogic Administration Guide and the LogLogic Windows Collector Guide (Project Lasso). Microsoft DNS Log Configuration Guide 15
Frequently Asked Questions How does the LogLogic Appliance collect logs from Microsoft DNS? For log collection, an open source Windows Collector, Project Lasso, is required in order to read the.evt files from the Windows machine, convert them into text, and forward them in Syslog format, via UDP or TCP, to the LogLogic Appliance. The LogLogic Appliance functions as the Syslog Server. For more information, see How LogLogic Captures Microsoft DNS Log Data on page 12. What access permissions are required? To configure logging on Microsoft DNS, the Windows user must have administrative permissions. How do I configure logging on Microsoft DNS? Follow the procedures on Configuring Microsoft DNS on page 8. Also make sure that you have properly installed and configured Project Lasso. For more information, see Installing and Configuring Project Lasso on page 9 and the LogLogic Windows Collector Guide (Project Lasso). 16 Microsoft DNS Log Configuration Guide
Appendix A Reference This appendix lists the LogLogic-supported Microsoft DNS events. The Microsoft DNS event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic s Syslog Listener. LogLogic Support for Microsoft DNS s The following list describes the contents of each of the columns in the table below. ID Microsoft DNS event identifier for operational events Note: There are no IDs for debug events. Debug events are identified as Query or Response events. Agile Reports/Search Defines if the Microsoft DNS event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. Title/Comments Description of the event Category All events belong to the Operational category Type Type of event such as Success, Failure, etc. Sample Log Message Sample Microsoft DNS log messages in text format Microsoft DNS Log Configuration Guide 17
Table 1 Microsoft DNS s ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 1 1 Search Starting Microsoft DNS server. Operational <13>Feb 15 11:56:16 10.116.28.200 MSWinLog 0 DNS Server 233 Thu Feb 15 11:53:39 2007 1 DNS Unknown User N/A Information LAB-2003-200 None Unknown 4 2 2 Search The DNS server has started. Operational <13>Feb 15 11:51:16 10.116.28.200 MSWinLog 0 DNS Server 226 Thu Feb 15 11:47:01 2007 2 DNS Unknown User N/A Information LAB-2003-200 None Unknown 3 3 3 Search The DNS server has shutdown. Operational <13>Feb 15 11:56:16 10.116.28.200 MSWinLog 0 DNS Server 239 Thu Feb 15 11:53:39 2007 3 DNS Unknown User N/A Information LAB-2003-200 None Unknown 4 4 710 Search An administrator has changed the type and zone storage options of zone %1.The zone is now type %2. The zone will be stored in the zone file %3. 5 711 Search An administrator has changed the type and/or Active Directory location of zone %1.The zone is now type %2. The zone will be stored in Active Directory at %3. 6 712 Search An administrator has changed the zone storage options for zone %1. The zone will now be stored in the zone file %2. Operational <13>Feb 21 17:39:35 10.116.28.222 MSWinLog 0 DNS Server 17900 Wed Feb 21 16:46:39 2007 710 DNS Unknown User N/A Information WIPRO-LOG-222 None An administrator has changed the type and zone storage options of zone DNSDHCP.com. The zone is now type 2. The zone will be stored in the zone file DNSDHCP.com.dns. 20 Operational <13>Feb 21 17:39:35 10.116.28.222 MSWinLog 0 DNS Server 17900 Wed Feb 21 16:46:39 2007 710 DNS Unknown User N/A Information WIPRO-LOG-222 None An administrator has changed the type and/or Active Directory location of zone DNSDHCP.com.The zone is now type 2 The zone will be stored in Active Directory at DC=DNSDHCP.com,cn=MicrosoftDNS,cn=System,DC=DNSDHCP,D C=com. 20 Operational <13>Feb 21 18:42:22 10.116.28.222 MSWinLog 0 DNS Server 18894 Wed Feb 21 16:36:53 2007 712 DNS Unknown User N/A Information WIPRO-LOG-222 None An administrator has changed the zone storage options for zone DNSDHCP.com. The zone will now be stored in the zone file DNSDHCP.com.dns. 14 18 Microsoft DNS Log Configuration Guide
ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 7 713 Search An administrator has moved the zone %1 to a new location in Active Diretory.The zone will be stored in Active Directory at %2. 8 2600 Search To prevent the event log from filling up too rapidly the DNS server has suppressed event ID %1 a total of %2 times in the last %3 minutes. 9 2601 Search To prevent the event log from filling up too rapidly the DNS server has suppressed event ID %1 a total of %2 times in the last %3 minutes. These events were in relation to zone %4. 10 5500 Search The DNS server received a bad DNS query from %1. The query was rejected or ignored. The event data contains the DNS packet. 11 5504 Search The DNS server encountered an invalid domain name in a packet from %1. The packet will be rejected. The event data contains the DNS packet. 12 5505 Search The DNS server encountered a domain name exceeding the maximum length in the packet from %1.The event data contains the DNS packet. Operational <13>Feb 21 18:42:22 10.116.28.222 MSWinLog 0 DNS Server 18895 Wed Feb 21 16:37:59 2007 713 DNS Unknown User N/A Information WIPRO-LOG-222 None An administrator has moved the zone DNSDHCP.com to a new location in Active Diretory. The zone will be stored in Active Directory at DC=DNSDHCP.com,cn=MicrosoftDNS,cn=System,DC=DNSDHCP,D C=com. 15 Operational The log format for this event is supported by the LogLogic Appliance, Operational The log format for this event is supported by the LogLogic Appliance, Operational Error <13>Feb 15 11:51:16 10.116.28.200 MSWinLog 0 DNS Server 226 Thu Feb 15 11:47:01 2007 5500 DNS Unknown User N/A Information LAB-2003-200 None The DNS server received a bad DNS query from server1. The query was rejected or ignored. The event data contains the DNS packet. 5 Operational Error <13>Feb 21 18:42:22 10.116.28.222 MSWinLog 0 DNS Server 18895 Wed Feb 21 16:37:59 2007 5504 DNS Unknown User N/A Information WIPRO-LOG-222 None The DNS server encountered an invalid domain name in a packet from 10.116.28.67. The packet will be rejected.the event data contains the DNS packet. 15 Operational Error <13>Feb 15 11:51:16 10.116.28.200 MSWinLog 0 DNS Server 226 Thu Feb 15 11:47:01 2007 5505 DNS Unknown User N/A Information LAB-2003-200 None The DNS server encountered a domain name exceeding the maximum length in the packet from 10.116.28.67.The event data contains the DNS packet.. 5 Microsoft DNS Log Configuration Guide 19
ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 13 5506 Search The DNS server encountered an invalid domain name offset in a packet from %1. The event data contains the DNS packet. 14 5507 Search The DNS server encountered a name offset exceeding the packet length from %1. The event data contains the DNS packet. 15 5508 Search The DNS server encountered a packet name exceeding the maximum label count from %1. The event data contains the DNS packet. 16 5509 Search The DNS server encountered an invalid DNS update message from %1. The packet was rejected. The event data contains the DNS packet. 17 5510 Search The DNS server encountered an invalid response message from %1. The packet was rejected. The event data contains the DNS packet. 18 5511 Search The DNS server encountered a name with a label whose length exceeds the maximum of 63 bytes from %1. The event data contains the DNS packet. Operational Error <13>Feb 21 17:39:35 10.116.28.222 MSWinLog 0 DNS Server 17888 Mon Feb 19 16:14:26 2007 5506 DNS Unknown User N/A Warning WIPRO-LOG-222 None 0000: 50 25 00 00 P%.. The DNS server encountered an invalid domain name offset in a packet from 10.11628.66.The event data contains the DNS packet. 101 Operational Error <13>Feb 15 11:51:16 10.116.28.200 MSWinLog 0 DNS Server 226 Thu Feb 15 11:47:01 2007 5507 DNS Unknown User N/A Information LAB-2003-200 None The DNS server encountered a name offset exceeding the packet length from 10.11628.66. The event data contains the DNS packet. 5 Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error <13>Feb 15 11:51:16 10.116.28.200 MSWinLog 0 DNS Server 226 Thu Feb 15 11:47:01 2007 5509 DNS Unknown User N/A Information LAB-2003-200 None The DNS server encountered an invalid DNS update message from 10.116.28.60. The packet was rejected.the event data contains the DNS packet. 5 Operational Error The log format for this event is supported by the LogLogic Appliance, Operational The log format for this event is supported by the LogLogic Appliance, 20 Microsoft DNS Log Configuration Guide
ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 19 409 Search The DNS server list of restricted interfaces contains IP addresses that are not configured for use at the server computer. Use the DNS manager server properties, interfaces dialog, to verify and reset the IP addresses the DNS server should listen on. ID: 412 Description: The DNS server is bound to a large number of IP addresses. Each of these server IP addresses consumes additional system resources and can add a slight increase in performance overhead for DNS query reception. In most cases, you can remove secondary IP addresses that are not required to support server networking hardware. 20 412 Search The DNS server is bound to a large number of IP addresses. Each of these server IP addresses consumes additional system resources and can add a slight increase in performance overhead for DNS query reception. In most cases, you can remove secondary IP addresses that are not required to support server networking hardware. For more information, see "Configuring multihomed servers" in the online Help. 21 3000 Search The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that precede this event. To prevent the DNS server from filling the event log too quickly, subsequent events with IDs higher than 3000 will be suppressed until events are no longer being generated at a high rate. Operational <13>Feb 21 17:39:35 10.116.28.222 MSWinLog 0 DNS Server 17888 Mon Feb 19 16:14:26 2007 409 DNS Unknown User N/A Warning WIPRO-LOG-222 None 0000: 50 25 00 00 P%.. The DNS server list of restricted interfaces contains IP addresses that are not configured for use at the server computer. Use the DNS manager server properties, interfaces dialog, to verify and reset the IP addresses the DNS server should listen on. ID: 412 Description: The DNS server is bound to a large number of IP addresses.each of these server IP addresses consumes additional system resources and can add a slight increase in performance overhead for DNS query reception. In most cases, you can remove secondary IP addresses that are not equired to support server networking hardware. 101 Operational <13>Feb 21 17:39:35 10.116.28.222 MSWinLog 0 DNS Server 17888 Mon Feb 19 16:14:26 2007 412 DNS Unknown User N/A Warning WIPRO-LOG-222 None 0000: 50 25 00 00 P%.. The DNS server is bound to a large number of IP addresses.each of these server IP addresses consumes additional system resources and can add a slight increase in performance overhead for DNS query reception. In most cases, you can remove secondary IP addresses that are not required to support server networking hardware. For more information, see "Configuring multihomed servers" in the online Help 101 Operational <13>Feb 13 12:32:24 10.116.28.102 MSWinLog 0 DNS Server 59796 Thu Jan 18 14:53:35 2007 3000 DNS Unknown User N/A Warning LOGLOGIC-SRV1 None The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that precede this event. To prevent the DNS server from filling the event log too quickly, subsequent events with IDs higher than 3000 will be suppressed until events are no longer being generated at a high rate. 1216 Microsoft DNS Log Configuration Guide 21
ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 22 4013 Search The DNS server was unable to open the Active Directory. This DNS server is configured to use directory service information and can not operate without access to the directory. The DNS server will wait for the directory to start. If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start. 23 4515 Search The zone %1 was previously loaded from the directory partition %2 but another copy of the zone has been found in directory partition %3. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible.if an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server.if there are two copies of this zone in two different directory partitions but this is not a transient caused by a zone move operation then one of these copies should be deleted as soon as possible to resolve this conflict. 24 5051 Search The DNS server is using a large amount of memory. The data is the current memory allocated. 25 6003 Search The DNS server received a request from %1 for a UDP-based transfer of the entire zone. The request was ignored because full zone transfers must be made using TCP. Operational Error <13>Feb 21 17:39:35 10.116.28.222 MSWinLog 0 DNS Server 4013 Mon Feb 19 16:14:26 2007 7062 DNS Unknown User N/A Warning WIPRO-LOG-222 None 0000: 50 25 00 00 P%.. The DNS server was unable to open the Active Directory. This DNS server is configured to use directory service information and can not operate without access to the directory. The DNS server will wait for the directory to start. If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start.. 102 Operational The log format for this event is supported by the LogLogic Appliance, Operational <13>Feb 21 17:39:35 10.116.28.222 MSWinLog 0 DNS Server 17888 Mon Feb 19 16:14:26 2007 5051 DNS Unknown User N/A Warning WIPRO-LOG-222 None 0000: 50 25 00 00 P%.. The DNS server is using a large amount of memory. The data is the current memory allocated. 101 Operational <13>Feb 21 17:39:35 10.116.28.222 MSWinLog 0 DNS Server 17888 Mon Feb 19 16:14:26 2007 6003 DNS Unknown User N/A Warning WIPRO-LOG-222 None 0000: 50 25 00 00 P%.. The DNS server received a request from 10.116.28.55 for a UDP-based transfer of the entire zone. The request was ignored because full zone transfers must be made using TCP 101 22 Microsoft DNS Log Configuration Guide
ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 26 6004 Search The DNS server received a zone transfer request from %1 for a non-existent or non-authoritative zone %2. 27 6526 Search Zone %1 version %2 is newer than version %3 on DNS server at %4. The zone was not updated. DNS servers supplying zones for transfer must have the most recent version of the zone, based on the primary zone. If zone on remote server %4, is in fact the most recent version of the zone, do the following at that server: (1) stop the DNS server, (2) delete the zone file (not the zone itself) and (3) restart the DNS server The DNS server will transfer the new version and write its zone file. When deleting the zone file at server %4, locate the file named %1.dns in the %SystemRoot%\System32\Dns directory and delete it. An alternative solution is to delete and recreate the secondary zone at server %4. This could be preferred if this server hosts large zones and restarting it at this time would be a consuming or costly operation. Operational The log format for this event is supported by the LogLogic Appliance, Operational The log format for this event is supported by the LogLogic Appliance, Microsoft DNS Log Configuration Guide 23
ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 28 7062 Search The DNS server encountered a packet addressed to itself on IP address %1. The packet is for the DNS name "%2". The packet will be discarded. This condition usually indicates a configuration error. Check the following areas for possible self-send configuration errors: 1) Forwarders list. (DNS servers should not forward to themselves). 2) Master lists of secondary zones. 3) Notify lists of primary zones. 4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server. 5) Root hints. Example of self-delegation: -> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com. -> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com, (bar.example.microsoft.com NS dns1.example.microsoft.com) -> BUT the bar.example.microsoft.com zone is NOT on this server. Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record. You can use the DNS server debug logging facility to track down the cause of this problem. Operational <13>Feb 21 17:39:35 10.116.28.222 MSWinLog 0 DNS Server 17888 Mon Feb 19 16:14:26 2007 7062 DNS Unknown User N/A Warning WIPRO-LOG-222 None 0000: 50 25 00 00 P%.. The DNS server encountered a packet addressed to itself on IP address 10.116.28.222. The packet is for the DNS name "_ldap._tcp.pdc._msdcs.dnsdhcp.com.". The packet will be discarded. This condition usually indicates a configuration error. Check the following areas for possible self-send configuration errors: 1) Forwarders list. (DNS servers should not forward to themselves). 2) Master lists of secondary zones. 3) Notify lists of primary zones. 4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server. 5) Root hints. Example of self-delegation: -> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com. -> The example.microsoft.com zone contains a delegation of bar.example.microsoft to dns1.example.microsoft.com, (bar.example.microsoft.com NS dns1.example.microsoft.com) -> BUT the bar.example.microsoft.com zone is NOT on this server. Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record. You can use the DNS server debug logging facility to track down the cause of this problem. 111 24 Microsoft DNS Log Configuration Guide
ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 29 9999 Search The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that preceded these run-time events. The data is the number of events that have been suppressed in the last 60 minute interval. 30 707 Search The DNS server is not root authoritative and no root hints were specified in the cache.dns file. Where the server is not a root server, this file must specify root hints in the form of at least one name server (NS) resource record, indicating a root DNS server and a corresponding host (A) resource record for that root DNS server. Otherwise, the DNS server will be unable to contact the root DNS server on startup and will be unable to answer queries for names outside of its own authoritative zones. To correct this problem, use the DNS console to update the server root hints. 31 1541 Search The DNS server encountered invalid domain name "%1" in zone file %2 at line %3. Although the DNS server continues to load, ignoring this name, it is strongly recommended that you either correct the name or remove the resource record from the zone file, which is located in the %SystemRoot%\System32\Dns directory. 32 1542 Search The DNS server encountered invalid domain name "%1". Operational <13>Feb 20 12:11:02 10.116.28.200 MSWinLog 0 DNS Server 11538 Tue Feb 20 12:08:51 2007 9999 DNS Unknown User N/A Error LAB-2003-200 None 0000: 2a 23 00 00 *#.. The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that preceded these run-time events. The data is the number of events that have been suppressed in the last 60 minute interval. 160 Operational Error <13>Feb 20 12:11:02 10.116.28.200 MSWinLog 0 DNS Server 11538 Tue Feb 20 12:08:51 2007 707 DNS Unknown User N/A Error LAB-2003-200 None 0000: 2a 23 00 00 *#.. The DNS server is not root authoritative and no root hints were specified in the cache.dns file. Where the server is not a root server, this file must specify root hints in the form of at least one name server (NS) resource record, indicating a root DNS server and a corresponding host (A) resource record for that root DNS server. Otherwise, the DNS server will be unable to contact the root DNS server on startup and will be unable to answer queries for names outside of its own authoritative zones. To correct this problem, use the DNS console to update the server root hints. 160 Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error <13>Feb 20 12:11:02 10.116.28.200 MSWinLog 0 DNS Server 11538 Tue Feb 20 12:08:51 2007 1542 DNS Unknown User N/A Error LAB-2003-200 None 0000: 2a 23 00 00 *#.. The DNS server encountered invalid domain name "dhcp.com" 160 Microsoft DNS Log Configuration Guide 25
ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 33 1543 Search The DNS server encountered domain name "%1" exceeding maximum length. Although the DNS server continues to load, ignoring this name, it is recommended that you either correct the name or remove the resource record from the zone file, which is located in the %SystemRoot%\System32\Dns directory. 34 1544 Search The DNS server encountered an invalid "@" token "%1" in zone file %2 at line %3. Although the DNS server continues to load, ignoring this token, it is recommended that you either correct the token or remove the resource record from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. 35 1545 Search The DNS server encountered a name outside of the specified zone in zone file %1 at line %2. Although the DNS server continues to load, ignoring this resource record (RR), it is recommended that you either correct the RR or remove it from the zone file, which is located in the %SystemRoot%\System32\Dns directory. 36 1546 Search The DNS server encountered an invalid name server (NS) resource record in zone file %1 at line %2. The use of NS resource records (RR) must be at either the zone root node or be placed at at the sub-zone context within the zone for a domain being delegated away from this zone. Although the DNS server continues to load, ignoring this RR, it is recommended that you either correct the RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error The log format for this event is supported by the LogLogic Appliance, 26 Microsoft DNS Log Configuration Guide
ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 37 1547 Search The DNS server encountered an invalid host (A) resource record in zone file %1 at line %2. The use of A resource records (RRs) must be at a domain name within the zone, with the exception of glue A RRs which are used to resolve the host name specified in an NS RR also contained at the same domain node and used for a zone delegation. Although the DNS server continues to load, ignoring this RR, it is strongly recommended that you either correct this RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. 38 1600 Search The DNS server encountered an unknown or unsupported resource record (RR) type %1 in zone file %2 at line %3. Although the DNS server continues to load, ignoring this RR, it is recommended that you either correct the record type or remove this RR from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. 39 1602 Search The DNS server encountered an invalid SOA (Start Of Authority) resource record (RR) in file %1 at line %2. An SOA record is required in every zone files and must satify the following conditions: 1) The SOA record must be the first record in the zone file. 2) The SOA record must belong to the root of the zone ("@" in zone file). 3) Only one SOA is allowed in the zone. 4) SOA records are NOT valid in root-hints (cache.dns) file. To correct the problem modify or repair the SOA RR in zone file %1, which can be found in the %SystemRoot%\System32\Dns directory. Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error The log format for this event is supported by the LogLogic Appliance, Microsoft DNS Log Configuration Guide 27
ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 40 1616 Search The DNS server encountered a text string "%1" in zone file %2 at line %3 that exceeds the maximum permissible length. Although the DNS server continues to load, ignoring this resource record (RR), it is strongly recommended that you either correct this RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. 41 1617 Search The DNS server encountered an invalid IP address "%1" in zone file %2 at line %3. Although the DNS server continues to load, ignoring this resource record (RR), it is recommended that you either correct this RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. Operational Error The log format for this event is supported by the LogLogic Appliance, Operational Error The log format for this event is supported by the LogLogic Appliance, 42 1618 Search The DNS server encountered an invalid IPv6 address "%1" in zone file %2 at line %3. Although the DNS server continues to load, ignoring this resource record (RR), it is recommended that you either correct this RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. Operational Error The log format for this event is supported by the LogLogic Appliance, 43 1619 Search The DNS server could not find protocol "%1" specified for the well known service (WKS) resource record (RR) in zone file %2 at line %3. Although the DNS server continues to load, ignoring this RR, it is strongly recommended that you either correct this WKS RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. Operational Error The log format for this event is supported by the LogLogic Appliance, 28 Microsoft DNS Log Configuration Guide
ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 44 1620 Search The DNS server could not find the service "%1" specified for the well known service (WKS) resource record (RR) in zone file %2 at line %3. Although the DNS server continues to load, ignoring this RR, it is recommended that you either correct this WKS RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. Operational Error <13>Feb 20 12:11:02 10.116.28.200 MSWinLog 0 DNS Server 11538 Tue Feb 20 12:08:51 2007 3151 DNS Unknown User N/A Error LAB-2003-200 None 0000: 2a 23 00 00 *#.. The DNS server could not find the service serv specified for the well known service (WKS) resource record (RR) in zone file file1 at line 4. Although the DNS server continues to load, ignoring this RR, it is recommended that you either correct this WKS RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. 160 45 1621 Search The DNS server encountered the port "%1" specified for the well known service (WKS) resource record (RR) in zone file %2 at line %3. This port exceeds the maximum port supported for the WKS RR. Although the DNS server continues to load, ignoring this RR, it is strongly recommended that you either correct this WKS RR or remove it from the zone file. The zone file is located in the %SystemRoot%\System32\Dns directory. Operational Error The log format for this event is supported by the LogLogic Appliance, 46 3151 Search The DNS server unable to write zone file %1 for zone %2. Most likely the server disk is full. Free some disk space and re-initiate zone write. Operational Error <13>Feb 20 12:11:02 10.116.28.200 MSWinLog 0 DNS Server 11538 Tue Feb 20 12:08:51 2007 3151 DNS Unknown User N/A Error LAB-2003-200 None 0000: 2a 23 00 00 *#.. The DNS server unable to write zone file file1 for zone DNSDHCP.com. Most likely the server disk is full. Free some disk space and re-initiate zone write. 160 Microsoft DNS Log Configuration Guide 29
ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 47 3153 Search The DNS server encountered an error writing to file. Most likely the server disk is full. Free some disk space at the server and re-initiate zone write. Operational Error <13>Feb 20 12:11:02 10.116.28.200 MSWinLog 0 DNS Server 11538 Tue Feb 20 12:08:51 2007 3153 DNS Unknown User N/A Error LAB-2003-200 None 0000: 2a 23 00 00 *#.. The DNS server encountered an error writing to file. Most likely the server disk is full. Free some disk space at the server and re-initiate zone write. 161 48 3160 Search The DNS server encountered an non-writeable or unknown resource record (RR) type when writing the zone database to file.the event data is applicable RR type. Operational Error <13>Feb 20 12:11:02 10.116.28.200 MSWinLog 0 DNS Server 11538 Tue Feb 20 12:08:51 2007 3160 DNS Unknown User N/A Error LAB-2003-200 None 0000: 2a 23 00 00 *#.. The DNS server encountered an non-writeable or unknown resource record (RR) type when writing the zone database to file.the event data is applicable RR type. 160 49 3162 Search The DNS server encountered an unknown protocol writing a well known service (WKS) resource record to the zone file. The event data is applicable the protocol number. Operational Error <13>Feb 20 12:11:02 10.116.28.200 MSWinLog 0 DNS Server 11538 Tue Feb 20 12:08:51 2007 3162 DNS Unknown User N/A Error LAB-2003-200 None 0000: 2a 23 00 00 *#.. The DNS server encountered an unknown protocol writing a well known service (WKS) resource record to the zone file. The event data is applicable the protocol number. 161 50 3163 Search The DNS server encountered an unknown service port writing a well known service (WKS) resource record to the zone file. The event data is applicable the port. Operational Error <13>Feb 20 12:11:02 10.116.28.200 MSWinLog 0 DNS Server 11538 Tue Feb 20 12:08:51 2007 3163 DNS Unknown User N/A Error LAB-2003-200 None 0000: 2a 23 00 00 *#.. The DNS server encountered an unknown service port writing a well known service (WKS) resource record to the zone file. The event data is applicable the port. 168 30 Microsoft DNS Log Configuration Guide
ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 51 4000 Search The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code. Operational Error <13>Feb 20 12:11:02 10.116.28.200 MSWinLog 0 DNS Server 11538 Tue Feb 20 12:08:51 2007 4000 DNS Unknown User N/A Error LAB-2003-200 None 0000: 2a 23 00 00 *#.. The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code. 165 52 4016 Search The DNS server timed out attempting an Active Directory service operation on %1. Check Active Directory to see that it is functioning properly. The event data contains the error. Operational Error <13>Feb 20 12:11:02 10.116.28.200 MSWinLog 0 DNS Server 11538 Tue Feb 20 12:08:51 2007 4016 DNS Unknown User N/A Error LAB-2003-200 None 0000: 2a 23 00 00 *#.. The DNS server timed out attempting an Active Directory service operation on server1. Check Active Directory to see that it is functioning properly. The event data contains the error. 169 53 7502 Search The DNS server was unable to service a client request due a shortage of available memory. Close any applications not in use or reboot the computer to free memory. Operational Error <13>Feb 20 12:11:02 10.116.28.200 MSWinLog 0 DNS Server 11538 Tue Feb 20 12:08:51 2007 7502 DNS Unknown User N/A Error LAB-2003-200 None 0000: 2a 23 00 00 *#.. The DNS server was unable to service a client request due a shortage of available memory. Close any applications not in use or reboot the computer to free memory. 169 54 7503 Search The DNS server could not allocate memory for resource record %1. Close any applications not in use or reboot the computer to free memory. Operational Error <13>Feb 20 12:11:02 10.116.28.200 MSWinLog 0 DNS Server 11538 Tue Feb 20 12:08:51 2007 7503 DNS Unknown User N/A Error LAB-2003-200 None 0000: 2a 23 00 00 *#.. The DNS server could not allocate memory for resource record 2443. Close any applications not in use or reboot the computer to free memory. 169 Microsoft DNS Log Configuration Guide 31
ID Agile Reports/ Search Title/Comments Category Type Sample Log Message 55 7504 Search The DNS server could not allocate memory for the node of domain name %1.Close any applications not in use or reboot the computer to free memory. Operational Error <13>Feb 20 12:11:02 10.116.28.200 MSWinLog 0 DNS Server 11538 Tue Feb 20 12:08:51 2007 7504 DNS Unknown User N/A Error LAB-2003-200 None 0000: 2a 23 00 00 *#.. The DNS server could not allocate memory for the node of domain name DNSDHCP.com.Close any applications not in use or reboot the computer to free memory. 169 32 Microsoft DNS Log Configuration Guide