response
Hello everyone,
I have been noticing some seemingly unnecessary logs being sent to our SIEM when using nxlog for Windows DNS syslog forwarding.
Here is my current configuration:
nxlog.conf
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_file
File 'C:\\Windows\\Sysnative\\dns\\dns.log'
SavePos TRUE
ReadFromLast TRUE
PollInterval 1
Exec $Message = $raw_event; $SyslogFacilityValue = 22;
</Input>
<Output out1>
Module om_tcp
Host 10.5.1.3
Port 1470
Exec to_syslog_bsd();
</Output>
<Route 1>
Path in => out1
</Route>
<Extension _fileop>
Module xm_fileop
</Extension>
Windows DNS Debug Logging Configuration:
Log packets for debugging: check
Packet direction:
Outgoing: check
Incoming: check
Transport protocol:
UDP: check
TCP: check
Packet contents:
Queries/Transfers: check
Updates: check
Notifications: not checked
Packet Type:
Request: check
Response: check
Other options:
Log unmatched incoming response packets: not checked
Details: not checked
Filter packets by IP address: not checked
File path and name: c:\windows\system32\dns\dns.log
Maximum size (bytes): 500000000
The result is that all of the necessary logs are being sent to our SIEM, but there are a bunch of unnormalized logs being sent that I do not quite understand.
Here are examples:
<181>(date/time) (System Name)
As an example, for a server named DC1 on March 19th, 14:39.
<181>Mar 19 14:39:17 DC1
A ton of these are being sent, close to 1 for each normal DNS log. As you could imagine this is using a lot of our event log storage. Does anyone know what is causing this? Or what this <181> is referring to?
Thank you!
