Unnecessary logs when forwarding Windows DNS logs as syslog
Hello everyone,
I have been noticing some seemingly unnecessary logs being sent to our SIEM when using nxlog for Windows DNS syslog forwarding.
Here is my current configuration:
nxlog.conf
define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
<Extension syslog> Module xm_syslog </Extension>
<Input in> Module im_file File 'C:\Windows\Sysnative\dns\dns.log' SavePos TRUE ReadFromLast TRUE PollInterval 1 Exec $Message = $raw_event; $SyslogFacilityValue = 22; </Input>
<Output out1> Module om_tcp Host 10.5.1.3 Port 1470 Exec to_syslog_bsd(); </Output>
<Route 1> Path in => out1 </Route>
<Extension _fileop> Module xm_fileop </Extension>
Windows DNS Debug Logging Configuration:
Log packets for debugging: check Packet direction: Outgoing: check Incoming: check
Transport protocol: UDP: check TCP: check
Packet contents: Queries/Transfers: check Updates: check Notifications: not checked
Packet Type: Request: check Response: check
Other options: Log unmatched incoming response packets: not checked Details: not checked Filter packets by IP address: not checked
File path and name: c:\windows\system32\dns\dns.log Maximum size (bytes): 500000000
The result is that all of the necessary logs are being sent to our SIEM, but there are a bunch of unnormalized logs being sent that I do not quite understand.
Here are examples:
<181>(date/time) (System Name) As an example, for a server named DC1 on March 19th, 14:39. <181>Mar 19 14:39:17 DC1
A ton of these are being sent, close to 1 for each normal DNS log. As you could imagine this is using a lot of our event log storage. Does anyone know what is causing this? Or what this <181> is referring to?
Thank you!
See the File-based DNS debug logging section in the user guide.