Question

Windows Server DNS Query Log

  • 15 March 2024
  • 3 replies
  • 254 views

Hi all,

I have configured my windows 2022 dns server to log dns queries. We need those logs for security and possible forensic reasons. 

The configuration is done in Windows Event Manager as described in DNS Logging and Diagnostics | Microsoft Learn. We are using LPAgent to collect other logs from this server. 

The result is an etl file, which cannot be read from the eventlog with im_msvistalog configuration from LPAgent. etl cannot be read with the im_msvistalog plugin of LPAgent. 

I have read that there is an NXLOG EE plugin im_etw out there which should be able to handle this file type, but we do not have the NXLog Enterprise Subscription. 

Is there any other option to collect the dns query logs from the server and import them into LogPoint?

Is ther e any the best practice to handle windows dns server query logs (without using NXLOG EE)?

Kind regards
Uwe


3 replies

Userlevel 4
Badge +7

Hello,

Unfortunately, ETL files are actually not trivial to read, and neither LPAgent nor AgentX can. There were some priliminary investigations, and there is a feature request, but out of the box, we can only read the textual debug log files.

I believe nxlog is one of the few solutions that can process the ETL files (although I haven’t seen it in action) - the relevant module isn’t part of the nxlog license that we can provide, so it would most likely need a purchase through them. 

Of course once nxlog processes the log file and sends it to us we can normalise it - we might already be able to do that and if not we could create it quickly.

Userlevel 2

Hi I’m getting DNS in with the Nxlog agent from the DNS.log file just fine, configurer DNS server to create log, and pull it off.


Install NXLog Enterprise – Logpoint Service Desk

use this configuration.

 

## LB Forsikring logs til Eget LogPoint system v 5.0
## Basic logning + DNS
## Kai Gustafson 22/6-2021
## 64 Bit Version
define ROOT C:\Program Files\nxlog
ModuleDir %ROOT%\modules
CacheDir  %ROOT%\data
PidFile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data
#define DNSLOG C:\Windows\Sysnative\dns\dns.log
define DNSLOG C:\Windows\System32\dns\dns.log

define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf

# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %ROOT%\data
define MYLOGFILE %LOGDIR%\nxlog.log

# By default, `LogFile %MYLOGFILE%` is set in log4ensics.conf. This
# allows the log file location to be modified via NXLog Manager. If you
# are not using NXLog Manager, you can instead set `LogFile` below and
# disable the `include` line.
LogLevel    INFO
LogFile %MYLOGFILE%
#include %CONFDIR%\log4ensics.conf

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Extension _json>
    Module xm_json
</Extension>

# This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`
# is changed in managed.conf via NXLog Manager, rotation of the new
# file should also be configured there.
<Extension _fileop>
    Module  xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        <Exec>
            if ( file_exists('%MYLOGFILE%') and
                 (file_size('%MYLOGFILE%') >= 5M) )
            {
                 file_cycle('%MYLOGFILE%', 8);
            }
        </Exec>
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
    </Schedule>
</Extension>

#Internal NXlog messages
<Input Internal>
    Module im_internal
</Input>

<Input dnslog>
  Module       im_file
  File         %DNSLOG%
  SavePos      True
  ReadFromLast True
  InputType    LineBased
  exec         $Message = $raw_event;
</Input>

<Input EventLog>
    Module im_msvistalog
# By default we collect 'Application', 'System', and 'Security'
    Query <QueryList> \
        <Query Id="0"> \
            <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> \
            <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select> \
            <Select Path="Application">*</Select> \
            <Select Path="System">*</Select> \
            <Select Path="Security">*</Select> \
            <Select Path="DNS Server">*</Select> \
        </Query> \
    </QueryList>
</Input>

#Syslog to LogPoint server
<Output out>
    Module      om_udp
    Host        xx.xx.xx.xx:514
    Exec to_json();$Message=$raw_event;to_syslog_bsd(); 
</Output>

<Output bsdformat>
    Module      om_udp
    Host        xx.xx.xx.xx:514
#    Exec        to_syslog_bsd();
    Exec        to_syslog_snare();
</Output>

<Route 1>
    Path        Eventlog, Internal => out
</Route>

<Route 2>
    Path        dnslog => bsdformat
</Route>

 

And you can use default windows dashboards.:

 

 

Userlevel 4
Badge +7

Thanks for describing that - I probably should have made it clearer in my original response that Dns debug log files work fine in our nxlog version (and indeed the Logpoint Agent and AgentX), it’s the Event Tracing ETL files that are problematic.

Reply