Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..
616 views

DNS Event Packet?

Jump to solution

Hey All,

In looking through DNS events generated from Microsoft Trace Log connectors and I noticed a HUGE number of events with the name "DNS Event Packet".  These events have absolutely no information in them besides agent fields and some basic device fields.  Does anyone have any idea what these should contain if anything? If they are irrelevant is there a decent way to filter them out?  They seem quite noisy with no valuable information.

Attached a pic of what an event looks like.

Thanks!

Labels (1)
Tags (2)
0 Likes
1 Solution

Accepted Solutions
Highlighted
kevquinlan Honored Contributor.
Honored Contributor.

Re: DNS Event Packet?

Jump to solution

Hi
"DNS Event Packet" is a default catch all for any DNS submessages that start with "PACKET" and that aren't in the known format in the parser.

The event will parse the entire message to the message field - however, in your original picture you have aggregation turned on and the message field is unlikely to be an aggregation field (correctly) so in this instance you don't see the message field or the raw event (because there isnt one in an aggregated event)

If you want to look at it - then you can either temporarily turn off Aggregation (be careful with DNS volume) and then you will see the raw event - or consider a temporary additional destination for that smartconnector such as CSV, no aggregation settings and ensure the raw field is added to the fieldset.

0 Likes
9 Replies
Acclaimed Contributor.. Shaun Acclaimed Contributor..
Acclaimed Contributor..

Re: DNS Event Packet?

Jump to solution

Turn on raw event capture and see what the original message looks like.

0 Likes
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: DNS Event Packet?

Jump to solution

They dont contain any raw event data

0 Likes
rkent1 Acclaimed Contributor.
Acclaimed Contributor.

Re: DNS Event Packet?

Jump to solution

Hi ​,

I think what ​ was suggesting is that you go to the connector collecting the DNS events and turn on the preserveRawEvent flag. That way, in ESM you will be able to see the original message in the rawEvent column.

Were you saying that preserve raw event is already enabled and you're still not seeing anything in the rawEvent column in ESM?

0 Likes
Gayan Acclaimed Contributor.
Acclaimed Contributor.

Re: DNS Event Packet?

Jump to solution

HI Andrew,

Did you try DNS Stop resolution on the SmartConnector?

Cheers

Gayan

Mr
0 Likes
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: DNS Event Packet?

Jump to solution

Hey Richard,

No raw event data is generated with these events even with raw event enabled.

Gayan,

Name resolution is disabled on these connectors, reverse look ups are disabled, and negative cache is enabled which should effectively prevent almost all DNS lookups.

0 Likes
Gayan Acclaimed Contributor.
Acclaimed Contributor.

Re: DNS Event Packet?

Jump to solution

Hi Andrew,

Did you try packet capture/ TCP dump for that traffic to find out exact originator or source of DNS traffic? Since you mentioned there is no DNS resolution on the SmartConnector. That mean connector no longer originates DNS traffic.

Cheers

Gayan

Mr
0 Likes
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: DNS Event Packet?

Jump to solution

Thanks for the advice Gayan.  This isn't actual DNS traffic as its reading from the DNS trace logs so I don't believe a pcap would be of value.

0 Likes
Highlighted
kevquinlan Honored Contributor.
Honored Contributor.

Re: DNS Event Packet?

Jump to solution

Hi
"DNS Event Packet" is a default catch all for any DNS submessages that start with "PACKET" and that aren't in the known format in the parser.

The event will parse the entire message to the message field - however, in your original picture you have aggregation turned on and the message field is unlikely to be an aggregation field (correctly) so in this instance you don't see the message field or the raw event (because there isnt one in an aggregated event)

If you want to look at it - then you can either temporarily turn off Aggregation (be careful with DNS volume) and then you will see the raw event - or consider a temporary additional destination for that smartconnector such as CSV, no aggregation settings and ensure the raw field is added to the fieldset.

0 Likes
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: DNS Event Packet?

Jump to solution

Thank you Kevin.  That information is quite helpful!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.