I have setup NXlog for purpose of consuming DNS analytical events and forwarding to a NDR solution. I'm using im_etw as the input and parse to syslog with xm_syslog and om_file. The output is to a file stored locally on the DNS server.

When I take a closer look at event IDs 256 and 257, DNS analytical log provides some interesting field such as source, query and packet data, which seems to be a hex value of query or response.

Has anyone decoded the PacketData field into a readable format?

Config below:

<Extension _syslog>
Module xm_syslog

<Input etw>
Module im_etw
Provider Microsoft-Windows-DNSServer

<Output file>
Module om_file
File 'C:\Users\Administrator\Documents\output_syslog.log'
Exec parse_syslog();

<Route etw_file>
Path etw => file

AskedFebruary 8, 2021 - 2:02am

Comments (1)

Answer (1)

The im_pcap module has a DNS decoder that should get you this data, though I understand that requires a different setup than capturing the ETW trace directly.

To decode PacketData produced by im_etw you could use xm_perl.

Comments (1)

  • PD_085948's picture

    Hi b0ti - thanks for your comment.

    A question regarding im_pcap - is dev where I set the interface I am monitoring? My interface on the server is Ethernet adapter Ethernet0:

    <Input pcap>
    Module im_pcap
    Dev enp0s3 <== should this be Ethernet0?

    Also, I keep getting errors.

    2021-02-10 16:00:27 ERROR [CORE|main] Failed to load module from C:\Program Files\nxlog\modules\input\im_pcap.dll, The specified module could not be found. ; The specified module could not be found.
    2021-02-10 16:00:27 WARNING [CORE|main] no functional input modules!
    2021-02-10 16:00:27 ERROR [CORE|main] module 'pcap' is not declared at C:\Program Files\nxlog\conf\nxlog.conf:82
    2021-02-10 16:00:27 ERROR [CORE|main] route pcap_file is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:82

    I checked the C:\Program Files\nxlog\modules\input\ directory and the file im_pcap.dll is in the directory.

    Config I have used:

    define INSTALLDIR C:\Program Files\nxlog

    #ModuleDir %INSTALLDIR%\modules
    #CacheDir %INSTALLDIR%\data
    #SpoolDir %INSTALLDIR%\data

    define CERTDIR %INSTALLDIR%\cert
    define CONFDIR %INSTALLDIR%\conf\nxlog.d

    # Note that these two lines define constants only; the log file location
    # is ultimately set by the `LogFile` directive (see below). The
    # `MYLOGFILE` define is also used to rotate the log file automatically
    # (see the `_fileop` block).
    define LOGDIR %INSTALLDIR%\data
    define MYLOGFILE %LOGDIR%\nxlog.log

    # If you are not using NXLog Manager, disable the `include` line
    # and enable LogLevel and LogFile.
    include %CONFDIR%\*.conf

    #LogLevel INFO
    #LogFile %MYLOGFILE%

    <Extension _json>
    Module xm_json

    <Input pcap>
    Module im_pcap
    Dev enp0s3
    Type dns
    Field dns.opcode
    Field dns.id
    Field dns.flags.authoritative
    Field dns.flags.recursion_available
    Field dns.flags.recursion_desired
    Field dns.flags.authentic_data
    Field dns.flags.checking_disabled
    Field dns.flags.truncated_response
    Field dns.response
    Field dns.response.code
    Field dns.query
    Field dns.additional
    Field dns.answer
    Field dns.authority
    Type ipv4
    Field ipv4.src
    Field ipv4.dst
    Field ipv4.fragment
    Type ipv6
    Field ipv6.src
    Field ipv6.dst
    Field ipv6.options
    Type tcp
    Field tcp.src_port
    Field tcp.dst_port
    Field tcp.flag
    Type udp
    Field udp.src_port
    Field udp.dst_port

    <Output file>
    Module om_file
    File "C:\Users\Administrator\Documents\passive_dns.json"
    Exec to_json();

    <Route pcap_file>
    Path pcap => file