0


Full disclosure, I am not a Windows admin and neither a Windows expert. As of Windows 2012 r2, it is supported to record DNS Analytic logs in Windows DNS server. My task is to get those logs to a remote server (preferbly using NXLog), but it appears that this is not as trivial as I would have hoped. I am however failry new to Analytic logging in windows and hence I might have missed an easy way to do it.
I found an article from Microsoft describing how to enable this kind of logging and another article describing the use of this in network forensics. I am however unable to read the logs unless I disable the analytic source if I am using log rotation. If I however enable no overwriting of the log, and drop once its full, I can read the log but I cannot clear it unless I restart the analytic source.
I understand it is an option to send this Analytic log to an Operational destination, but I have been unable to figure out how to do that. Is that possible? I am aware that ther emight performance degradation, once I reach above 100k QPS on the DNS server.
So sum it all up, what i want to achive is the same as in the network forensic article linked above, one way or another. My current "solution" consists of a script stopping the source, dumping hte logs to a csv file, then starting the source again and hence I am able to get the data. I hope however there are a more streamlined solution. Any pointers of links to articles helping me to achive the above is appreciated.

xeet
  • 300
  • 2
  • 7

2 Answers2

2

I agree that reading ETL channel to get DNS logs would be the best solution, but only if they would continously be written and accessible - however it's not the case as you mentionned-. Therefore I can propose you several solutions to collect Windows DNS server logs:

  • [BUILTIN]: enable Windows Server DNS logging. Logs will be saved into a text file that can be read by NXLog. This solution is the easiest one. However it has no file rotation and we still need to parse the txt file

DNS log

  • [NXLOG]: use NXLog to read the analytical logs (*.ETL). This feature is provided by NXLog (source) and comes inside the module "im_msvistalog"
  • [POWERHSELL]: I found a script (source) that can read ETL channel and write it into a standard channel (EVTX file). Up to you then to read and forward logs using WEF or NXLog (if previous point doesn't work)
  • [ETW WRAPPER]: Microsoft provides its own ETW wrapper in "O365.Security.Native.ETW" (source) but seems to me that it's complicated to implement
  • [CUSTOM VENDOR]: some vendors like EventTracker or Splunk implement their own solutions and script to grab DNS logs. Maybe it would be interesting to look how they are managing it. I found that Splunk Stream can address this problem with an integrated script (source)

To finish, I can suggest you to read PDF documents from EventTracker (source) and Netwrix (source) which were very helpfull to me to fully collect all DNS relevant logs.

To conclude, I can also provide you this table that I have made in order to better understand where DNS logs are beeing collected on Windows.

DNS logs compare

Michel de Crevoisier
  • 541
  • 2
  • 8
  • Note that all solutions I've seen so far for ETW log collection (including the above mentioned Splunk app and EventTracker) seem to use some form of scripted hack by storing it locally in .etl (captured by logman) and then parsing it. ETW is itself is higher overhead than plain text dns.log. Storing it locally and parsing it again adds a lot more to this. Anyone doing that on a DNS server handling a lot of queries should think twice. – b0ti Sep 21 '17 at 10:59
  • Also note that `im_msvistalog` in NXLog cannot read Analytic/Debug channels (i.e. ETW) but `im_etw` can and this was designed to capture ETW logs efficiently without resorting to saving `.etl` files, powershell scripts and other baggage. – b0ti Sep 21 '17 at 11:03
1

I think we have discussed this on reddit so I'm just placing here the link for further reference.

b0ti
  • 986
  • 1
  • 6
  • 13