Decode PacketData from Microsoft DNS Server Analytics Logs

#1 PD_085948 4 years ago

When I take a closer look at event IDs 256 and 257, DNS analytical log provides some interesting field such as source, query and packet data, which seems to be a hex value of query or response.

Has anyone decoded the PacketData field into a readable format?

Config below:

<Extension _syslog> Module xm_syslog </Extension>

<Input etw> Module im_etw Provider Microsoft-Windows-DNSServer </Input>

<Output file> Module om_file File 'C:\Users\Administrator\Documents\output_syslog.log' Exec parse_syslog(); </Output>

Permalink

#3 b0ti Nxlog ✓ 4 years ago

#1 PD_085948

I have setup NXlog for purpose of consuming DNS analytical events and forwarding to a NDR solution. I'm using im_etw as the input and parse to syslog with xm_syslog and om_file. The output is to a file stored locally on the DNS server. When I take a closer look at event IDs 256 and 257, DNS analytical log provides some interesting field such as source, query and packet data, which seems to be a hex value of query or response. Has anyone decoded the PacketData field into a readable format? Config below: <Extension _syslog> Module xm_syslog </Extension> <Input etw> Module im_etw Provider Microsoft-Windows-DNSServer </Input> <Output file> Module om_file File 'C:\Users\Administrator\Documents\output_syslog.log' Exec parse_syslog(); </Output> <Route etw_file> Path etw => file </Route>

The im_pcap module has a DNS decoder that should get you this data, though I understand that requires a different setup than capturing the ETW trace directly.

To decode PacketData produced by im_etw you could use xm_perl.