Decode PacketData from Microsoft DNS Server Analytics Logs
I have setup NXlog for purpose of consuming DNS analytical events and forwarding to a NDR solution. I'm using im_etw as the input and parse to syslog with xm_syslog and om_file. The output is to a file stored locally on the DNS server.
When I take a closer look at event IDs 256 and 257, DNS analytical log provides some interesting field such as source, query and packet data, which seems to be a hex value of query or response.
Has anyone decoded the PacketData field into a readable format?
Config below:
<Extension _syslog> Module xm_syslog </Extension>
<Input etw> Module im_etw Provider Microsoft-Windows-DNSServer </Input>
<Output file> Module om_file File 'C:\Users\Administrator\Documents\output_syslog.log' Exec parse_syslog(); </Output>
<Route etw_file> Path etw => file </Route>