I have setup NXlog for purpose of consuming DNS analytical events and forwarding to a NDR solution. I'm using im_etw as the input and parse to syslog with xm_syslog and om_file. The output is to a file stored locally on the DNS server.

When I take a closer look at event IDs 256 and 257, DNS analytical log provides some interesting field such as source, query and packet data, which seems to be a hex value of query or response.

Has anyone decoded the PacketData field into a readable format?

Config below:

<Extension _syslog> Module xm_syslog </Extension>

<Input etw> Module im_etw Provider Microsoft-Windows-DNSServer </Input>

<Output file> Module om_file File 'C:\Users\Administrator\Documents\output_syslog.log' Exec parse_syslog(); </Output>

<Route etw_file> Path etw => file </Route>