Hello everyone,

I have been noticing some seemingly unnecessary logs being sent to our SIEM when using nxlog for Windows DNS syslog forwarding.

Here is my current configuration:


define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
Module xm_syslog

<Input in>
Module im_file
File 'C:\\Windows\\Sysnative\\dns\\dns.log'
SavePos TRUE
ReadFromLast TRUE
PollInterval 1
Exec $Message = $raw_event; $SyslogFacilityValue = 22;

<Output out1>
Module om_tcp
Port 1470
Exec to_syslog_bsd();

<Route 1>
Path in => out1

<Extension _fileop>
Module xm_fileop

Windows DNS Debug Logging Configuration:

Log packets for debugging: check
Packet direction:
Outgoing: check
Incoming: check

Transport protocol:
UDP: check
TCP: check

Packet contents:
Queries/Transfers: check
Updates: check
Notifications: not checked

Packet Type:
Request: check
Response: check

Other options:
Log unmatched incoming response packets: not checked
Details: not checked
Filter packets by IP address: not checked

File path and name: c:\windows\system32\dns\dns.log
Maximum size (bytes): 500000000

The result is that all of the necessary logs are being sent to our SIEM, but there are a bunch of unnormalized logs being sent that I do not quite understand.

Here are examples:

<181>(date/time) (System Name)
As an example, for a server named DC1 on March 19th, 14:39.
<181>Mar 19 14:39:17 DC1

A ton of these are being sent, close to 1 for each normal DNS log. As you could imagine this is using a lot of our event log storage. Does anyone know what is causing this? Or what this <181> is referring to?

Thank you!

AskedMarch 19, 2021 - 8:27pm

Answer (1)