Due to send DNS logs

How do I send DNS creation and deletion logs to Graylog? I use nxlog on a Windows Server 2025 server. The server logs appear, but not the DNS logs. I need EventIDs 515, 516, 517, and 518. If I run the command in PowerShell, it gives me the results, but I don’t know how to put them in Graylog.

I use nxlog CE.

Example of a command run in PowerShell to display the event ID 516 logs:

"Get-WinEvent -LogName “Microsoft-Windows-DNSServer/Audit” -FilterXPath “*[System[(EventID=516)]]” | Where-Object {$_.Message -notmatch “dynamic update”} | Select-Object TimeCreated, Id, @{Name=‘User’;Expression={$_.Properties[1].Value}}, Message
"

Hello @yumibad86

Assuming auditing is enabled for those events then it seems the etw module within NXLOG is what is required.

This tutorial is only for nxlog enterprise, right? It doesn’t work for the Community Edition?

Did you try to use im_etw with the Community Edition ? It doesn’t work ? Because sometimes the NXLog documentation says it’s only for Enterprise edition but sometimes it’s not indicated.

Did you also try to collect this Channel with im_msvistalog ?

If it’s not possible in NXLog Community Edition maybe you can try to look with a Beat agent.