I have been noticing some seemingly unnecessary logs being sent to our SIEM when using nxlog for Windows DNS syslog forwarding.
Here is my current configuration:
define ROOT C:\Program Files (x86)\nxlog
Exec $Message = $raw_event; $SyslogFacilityValue = 22;
Path in => out1
Windows DNS Debug Logging Configuration:
Log packets for debugging: check
Notifications: not checked
Log unmatched incoming response packets: not checked
Details: not checked
Filter packets by IP address: not checked
File path and name: c:\windows\system32\dns\dns.log
Maximum size (bytes): 500000000
The result is that all of the necessary logs are being sent to our SIEM, but there are a bunch of unnormalized logs being sent that I do not quite understand.
Here are examples:
<181>(date/time) (System Name)
As an example, for a server named DC1 on March 19th, 14:39.
<181>Mar 19 14:39:17 DC1
A ton of these are being sent, close to 1 for each normal DNS log. As you could imagine this is using a lot of our event log storage. Does anyone know what is causing this? Or what this <181> is referring to?