responses
I have setup NXlog for purpose of consuming DNS analytical events and forwarding to a NDR solution. I'm using im_etw as the input and parse to syslog with xm_syslog and om_file. The output is to a file stored locally on the DNS server.
When I take a closer look at event IDs 256 and 257, DNS analytical log provides some interesting field such as source, query and packet data, which seems to be a hex value of query or response.
Has anyone decoded the PacketData field into a readable format?
Config below:
<Extension _syslog>
Module xm_syslog
</Extension>
<Input etw>
Module im_etw
Provider Microsoft-Windows-DNSServer
</Input>
<Output file>
Module om_file
File 'C:\Users\Administrator\Documents\output_syslog.log'
Exec parse_syslog();
</Output>
<Route etw_file>
Path etw => file
</Route>
Comments (1)
Hi b0ti - thanks for your comment.
A question regarding im_pcap - is dev where I set the interface I am monitoring? My interface on the server is Ethernet adapter Ethernet0:
<Input pcap>
Module im_pcap
Dev enp0s3 <== should this be Ethernet0?
Also, I keep getting errors.
2021-02-10 16:00:27 ERROR [CORE|main] Failed to load module from C:\Program Files\nxlog\modules\input\im_pcap.dll, The specified module could not be found. ; The specified module could not be found.
2021-02-10 16:00:27 WARNING [CORE|main] no functional input modules!
2021-02-10 16:00:27 ERROR [CORE|main] module 'pcap' is not declared at C:\Program Files\nxlog\conf\nxlog.conf:82
2021-02-10 16:00:27 ERROR [CORE|main] route pcap_file is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:82
I checked the C:\Program Files\nxlog\modules\input\ directory and the file im_pcap.dll is in the directory.
Config I have used:
define INSTALLDIR C:\Program Files\nxlog
#ModuleDir %INSTALLDIR%\modules
#CacheDir %INSTALLDIR%\data
#SpoolDir %INSTALLDIR%\data
define CERTDIR %INSTALLDIR%\cert
define CONFDIR %INSTALLDIR%\conf\nxlog.d
# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %INSTALLDIR%\data
define MYLOGFILE %LOGDIR%\nxlog.log
# If you are not using NXLog Manager, disable the `include` line
# and enable LogLevel and LogFile.
include %CONFDIR%\*.conf
#LogLevel INFO
#LogFile %MYLOGFILE%
<Extension _json>
Module xm_json
</Extension>
<Input pcap>
Module im_pcap
Dev enp0s3
<Protocol>
Type dns
Field dns.opcode
Field dns.id
Field dns.flags.authoritative
Field dns.flags.recursion_available
Field dns.flags.recursion_desired
Field dns.flags.authentic_data
Field dns.flags.checking_disabled
Field dns.flags.truncated_response
Field dns.response
Field dns.response.code
Field dns.query
Field dns.additional
Field dns.answer
Field dns.authority
</Protocol>
<Protocol>
Type ipv4
Field ipv4.src
Field ipv4.dst
Field ipv4.fragment
</Protocol>
<Protocol>
Type ipv6
Field ipv6.src
Field ipv6.dst
Field ipv6.options
</Protocol>
<Protocol>
Type tcp
Field tcp.src_port
Field tcp.dst_port
Field tcp.flag
</Protocol>
<Protocol>
Type udp
Field udp.src_port
Field udp.dst_port
</Protocol>
</Input>
<Output file>
Module om_file
File "C:\Users\Administrator\Documents\passive_dns.json"
Exec to_json();
</Output>
<Route pcap_file>
Path pcap => file
</Route>