Hello everyone,

I have been noticing some seemingly unnecessary logs being sent to our SIEM when using nxlog for Windows DNS syslog forwarding.

Here is my current configuration:

nxlog.conf

define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension syslog> Module xm_syslog </Extension>

<Input in> Module im_file File 'C:\Windows\Sysnative\dns\dns.log' SavePos TRUE ReadFromLast TRUE PollInterval 1 Exec $Message = $raw_event; $SyslogFacilityValue = 22; </Input>

<Output out1> Module om_tcp Host 10.5.1.3 Port 1470 Exec to_syslog_bsd(); </Output>

<Route 1> Path in => out1 </Route>

<Extension _fileop> Module xm_fileop </Extension>

Windows DNS Debug Logging Configuration:

Log packets for debugging: check Packet direction: Outgoing: check Incoming: check

Transport protocol: UDP: check TCP: check

Packet contents: Queries/Transfers: check Updates: check Notifications: not checked

Packet Type: Request: check Response: check

Other options: Log unmatched incoming response packets: not checked Details: not checked Filter packets by IP address: not checked

File path and name: c:\windows\system32\dns\dns.log Maximum size (bytes): 500000000

The result is that all of the necessary logs are being sent to our SIEM, but there are a bunch of unnormalized logs being sent that I do not quite understand.

Here are examples:

<181>(date/time) (System Name) As an example, for a server named DC1 on March 19th, 14:39. <181>Mar 19 14:39:17 DC1

A ton of these are being sent, close to 1 for each normal DNS log. As you could imagine this is using a lot of our event log storage. Does anyone know what is causing this? Or what this <181> is referring to?

Thank you!