Help Center Logpoint Docs Idea Portal Logpoint.com
Question

Windows Server DNS Query Log

  • 15 March 2024
  • 1 reply
  • 97 views
U

Hi all,

I have configured my windows 2022 dns server to log dns queries. We need those logs for security and possible forensic reasons. 

The configuration is done in Windows Event Manager as described in DNS Logging and Diagnostics | Microsoft Learn. We are using LPAgent to collect other logs from this server. 

The result is an etl file, which cannot be read from the eventlog with im_msvistalog configuration from LPAgent. etl cannot be read with the im_msvistalog plugin of LPAgent. 

I have read that there is an NXLOG EE plugin im_etw out there which should be able to handle this file type, but we do not have the NXLog Enterprise Subscription. 

Is there any other option to collect the dns query logs from the server and import them into LogPoint?

Is ther e any the best practice to handle windows dns server query logs (without using NXLOG EE)?

Kind regards
Uwe

1 reply

Nils Krumey
Rank
Userlevel 4
Badge +7

Hello,

Unfortunately, ETL files are actually not trivial to read, and neither LPAgent nor AgentX can. There were some priliminary investigations, and there is a feature request, but out of the box, we can only read the textual debug log files.

I believe nxlog is one of the few solutions that can process the ETL files (although I haven’t seen it in action) - the relevant module isn’t part of the nxlog license that we can provide, so it would most likely need a purchase through them. 

Of course once nxlog processes the log file and sends it to us we can normalise it - we might already be able to do that and if not we could create it quickly.

Kind Regards, Nils

Reply


Terms & ConditionsCookie settings