When attempting to view an enabled Analytical Log, you receive the following error:
Query Error - The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.
Viewing the Logs with Message Analyzer
I am going to use Microsoft Message Analyzer, which is the successor to NetMon but contains much more functionality than just doing network captures. It is also an Event Tracing for Windows (ETW) consumer, which is the functionality that we’re going to use here. LogMan and Tracelog are options as well but I prefer Message Analyzer since it can view the events as it collects them and it has an amazing filtering capability to help limit the results to just what you need to see. Message Analyzer can be downloaded from the following location: https://www.microsoft.com/en-us/download/details.aspx?id=44226 Let’s fire up Message Analyzer and check out the logs.
- Select New Session to get started.
- From the New Session window, select Live Trace.
- Select the Add Providers button and select the Microsoft-Windows-DNSServer Provider from the list and click the Add To button and then click OK.Note: The easiest way to find the DNS Provider is to use the search box at the top of the Providers list.
- Click the Start button to begin the capture.
- Depending on the speed of the system you are working on, it may take some time for events to start populating. When they do, we are going to need to apply a filter to reduce the displayed events down to a manageable result. The filtering within Message analyzer is actually where the power is. There is a very extensive filtering engine within the product. Enter the following text in the Filter box and Click Apply.
!Windows_Kernel_Trace and (*Summary contains("QUERY_RECEIVED") or (*Summary contains("RESPONSE_")))
The filtered events should now show only query and response events from the DNS Server Analytical event log.
If you’ve never worked with Message Analyzer, there are controls at the top of the screen to control the capture. You can let it run and accumulate, pause, or stop the capture. Pausing the capture will allow it to be restarted without losing the contents. Stopping the capture and restarting it will erase the existing contents of the capture. From here, you can either save the results as they were captured or discard them. All without stopping the ongoing collection of Analytical event logs for DNS.