With the following config file I am capturing the entire MS DNS logs. This includes the DNS header info which I want to filter out. I need help figuring out what I can add that will allow me to filter out the DNS header information.

define TAP_Sender_IP XXX.XXX.XXX.XXX
define TAP_Sender_Port XXX

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO

<Extension _syslog>
Module xm_syslog

<Input DNS>
Module im_file
File "C:\\DNSlogs.txt"
SavePos True
if ($raw_event =~ /^#/) OR ($raw_event == '') drop();\

<Output Tap>
Module om_udp
Host %TAP_Sender_IP%
Port %TAP_Sender_Port%

<Route primary>
Path DNS => Tap

This config removes the blank spaces between DNS entries but leaves the file header. I'm Not sure what I need to change to prevent this from capturing the DNS header information.
Does anyone have any suggestions
Thanks in Advance

AskedJanuary 17, 2019 - 6:00pm

Comments (1)

  • Zhengshi's picture

    An example log may help in this situation as many may not be familiar with the MS DNS format. Source log file + how you expect it to look after?

    Also if you are using NXLog EE, then you could use the xm_msdns module.

Answer (1)