responses
I have setup NXlog for purpose of consuming DNS analytical events and forwarding to a NDR solution. I'm using im_etw as the input and parse to syslog with xm_syslog and om_file. The output is to a file stored locally on the DNS server.
When I take a closer look at event IDs 256 and 257, DNS analytical log provides some interesting field such as source, query and packet data, which seems to be a hex value of query or response.
Has anyone decoded the PacketData field into a readable format?
Config below:
<Extension _syslog>
Module xm_syslog
</Extension>
<Input etw>
Module im_etw
Provider Microsoft-Windows-DNSServer
</Input>
<Output file>
Module om_file
File 'C:\Users\Administrator\Documents\output_syslog.log'
Exec parse_syslog();
</Output>
<Route etw_file>
Path etw => file
</Route>
Comments (1)
For future reference, NXLog Enterprise v5.5 will now automatically decode the DNS payload information (PacketData) including the resolved address!
im_etw list of parsed fields: https://docs.nxlog.co/refman/v5.5/im/etw.html#fields
EEv5.5. Release Notes: https://nxlog.co/news/nxlog-enterprise-edition-version-55-release-announcement
Regards,
Konstantinos