none
EventID 520 DNSServer/audit logs RRS feed

  • Question

  • I am trying to decipher ptr record deletions vhe the DNSServer/audit.  On server 2012 the information seems to be logged in eventid 520.  A record deletions (logged as type 1) show the dns entry hostname that is being deleted.  PTR records however (logged as type 12) do not seem to have this information.  For the name they include only an arbitrary 2 or 3 digit number along with the zone where the record was deleted.  Is there any way to decipher what entry was deleted?
    Friday, September 27, 2019 10:14 PM

Answers

  • I think I actually figured it out.  The 520 event does show it correctly.  The number is the last octet of the record. I was able to determine that the machine was deleting its own record.
    • Marked as answer by Misha Rudiy Wednesday, October 16, 2019 1:34 AM
    Wednesday, October 16, 2019 1:34 AM

All replies

  • Hi,

    Thanks for your question.

    As the research, I made a test environment as same as yours. 

    Exactly, we only can observe that A record has a delete value when it deleted and logged in the auditing events 4662 under the section "Windows logs > Security > Audit Success". A PTR record deleting can be recorded, but there's no delete value, only read and write operations. 

      

    But, we can still realize a PTR record was deleted from the event ID 516 as below. This event logged under "Event viewer > Applications and Services > Microsoft > Windows > DNS-Server > Audit ". 

    Then we could audit this PTR deleting operation by passing through the two events.

    Hope this helps. If you have any question or concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, September 30, 2019 7:29 AM
  • Hi,
    Could the above reply be of help? If yes, you may mark it as answer, if not, feel free to feed back


    Best Regards,
    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, October 8, 2019 7:19 AM
  • I think I actually figured it out.  The 520 event does show it correctly.  The number is the last octet of the record. I was able to determine that the machine was deleting its own record.
    • Marked as answer by Misha Rudiy Wednesday, October 16, 2019 1:34 AM
    Wednesday, October 16, 2019 1:34 AM
  • I'm glad that the issue was resolved successfully.

    Thanks for your sharing and support.

    Have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, October 16, 2019 10:21 AM