Table of Contents:
This article describes the steps to install NXLog on Windows DNS and send logs via NXLog.
Prerequisites
Download and install the NXLog Community Edition on the Windows DNS Server using the below URL:
https://nxlog.co/products/nxlog-community-edition.
Configuring Windows DNS logging
- Type eventvwr.msc at an elevated command prompt and press ENTER to open Event Viewer
- In the Event Viewer, navigate to Applications and Services Logs->Microsoft->Windows->DNS-Server
- Expand DNS-Server.
- Right-click Audit, and then click Properties.
- Select the Enable logging checkbox and click OK when asked if log is enabled.
- Click OK.
Once NXLog Community is installed, copy and paste the below query in the NXLog.Conf file.
=================================
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define WINDNS_OUTPUT_DESTINATION_ADDRESS Forwarder IP
define WINDNS_OUTPUT_DESTINATION_PORT 11518
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _json>
Module xm_json
</Extension>
<Input winDNS_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Microsoft-Windows-DNSServer/Audit">
<Select Path="Microsoft-Windows-DNSServer/Audit">*</Select>
</Query>
</QueryList>
</QueryXML>
ReadFromLast TRUE
SavePos TRUE
</Input>
<Output out_chronicle_windns>
Module om_tcp
Host %WINDNS_OUTPUT_DESTINATION_ADDRESS%
Port %WINDNS_OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec to_json();
</Output>
<Route r2>
Path winDNS_eventlog => out_chronicle_windns
</Route>
Please add the below Collector in Forwarder Config File
- syslog:
common:
enabled: true
data_type: WINDOWS_DNS
data_hint:
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:11518
udp_address: 0.0.0.0:11518
Comments
0 comments
Please sign in to leave a comment.