To collect DNS Analytic logs using WinCollect perform the following steps:
- Configure Windows to collect analytic logs
- Add Xpath to the Agent log source to collect the logs
Use Case – Collecting DNS Analytic Logs (Xpath)
To configure Windows to collect DNS Server analytic logs perform the following in Event Viewer
If the DNS server is running Windows Server 2012 R2, download the hotfix from http://support.microsoft.com/kb/2956577
Type eventvwr.msc at an elevated command prompt and press ENTER to open Event Viewer.
In Event Viewer, navigate to Applications and Services Logs\Microsoft\Windows\DNS-Server.
Right-click DNS-Server, point to View, and click Show Analytic and Debug Logs. The Analytical log is displayed.
Right-click Analytical and then click Properties.
Under When maximum event log size is reached, choose Do not overwrite events (Clear logs manually), select the Enable logging checkbox, and click OK when you are asked if you want to enable this log. See the following example.
Click OK again to enable the DNS Server Analytic event log.
By default, analytic logs are written to the file: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl.
CAUTION: Step 5 is very important if you do not configure this then the WinCollect agent will not be able to collect the Analytical log. This is a limitation of the etl format.
The following debug log will be present if step 5 is not completed
01-15 11:03:05.317 DEBUG Device.WindowsLog.W2K8.localhost.XPath : Error subscribing to <QueryList><Query Id="1" Path="Security"><Select Path="Microsoft-Windows-DNSServer/Analytical">*[System[Provider[@Name='Microsoft-Windows-DNSServer']]] and *[System[TimeCreated[@SystemTime > '2019-01-15T18:03:00.210645675Z']]]</Select></Query></QueryList> -- Error code 15022: The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.
Microsoft explains this error here
WARNING: You will manually need to clear the logs and restart the agent when the event log is full.
Add Xpath to WinCollect Agent.
In the log source add the following XPath
<QueryList> <Query Id="0" Path="Microsoft-Windows-DNSServer/Analytical"> <Select Path="Microsoft-Windows-DNSServer/Analytical">*</Select> </Query> </QueryList>