1. Describe your incident:
I would like to ingest Windows Server DNS Analytics & Debug log without the im_msvistalog module which does not give the result I want (even if the logs are parsed, they are not ingested in real times).
I want to use:
im_file module
powershell script module that is parsing the log automatically
2. OS & Package Information:
- Rocky Linux 9
- docker compose 2.18.1
- Graylog 5.1.2
- traefik 2.10.1
- mongodb 6.0.6
- elasticsearch 7.10.2
- Windows Server DNS
- nxlog latest
- sidecar latest
3. What steps have you already taken to try and solve the problem?
First step - without any parsing
I have enabled Analytics Logs with a alternative way than Event Viewer.
I am already ingesting DNS Analytics logs without parsing with the im_file module:
<Input dns_analytics>
Module im_file
File "C:\Windows\Logs\DNS\srvad1_dns.log"
</Input>
[....]
<Route route-2>
Path dns_analytics => gelf
</Route>
Graylog displays the raw logs:
Second step - trying to parse
Then I found a powershell script written by a Microsft employee that is parsing DNS Debug Log automatically: winposh/Get-DNSDebugLog.ps1 at main · maxbakhub/winposh · GitHub
- If you execute the PS script and choose to export to CSV, it look like this:
"DateTime","Query/Response","Client","SendReceive","Protocol","RecordType","Query"
"06/07/2023 09:11:03","Query","192.168.1.106","Rcv","UDP","A","www.google.com."
"06/07/2023 09:11:03","Query","192.168.1.106","Rcv","UDP","65","www.google.com."
"06/07/2023 09:11:03","Response","192.168.1.106","Snd","UDP","A","www.google.com."
"06/07/2023 09:11:03","Query","208.67.222.222","Snd","UDP","65","www.google.com."
"06/07/2023 09:11:03","Response","208.67.222.222","Rcv","UDP","65","www.google.com."
"06/07/2023 09:11:03","Response","192.168.1.106","Snd","UDP","65","www.google.com."
- If you execute the PS script and choose to convert the result to JSON format
Get-DNSDebugLog -DNSLog "C:\Windows\Logs\DNS\srvad1_dns.log" | ConvertTo-Json -Compress | Write-Output
It will look like this:
[{"DateTime":{"value":"\/Date(1688641405000)\/","DateTime":"jeudi 6 juillet 2023 13:03:25"},"Query/Response":"Query","Client":{"Address":xxxxxxxxxx,"AddressFamily":2,"ScopeId":null,"IsIPv6Multi
cast":false,"IsIPv6LinkLocal":false,"IsIPv6SiteLocal":false,"IsIPv6Teredo":false,"IsIPv4MappedToIPv6":false,"IPAddressToString":"192.168.1.1"},"SendReceive":"Rcv","Protocol":"UDP","RecordType
":"A","Query":"www.google.com."}
I tried adding a sidecar
<Input powershell_analytic_dns>
Module im_exec
Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Arg -File
Arg %CONFDIR%\Get-DNSDebugLog.ps1
<Exec>
# Parse JSON
parse_json();
</Exec>
</Input>
<Route route-3>
Path powershell_analytic_dns => gelf
</Route>
And graylogs display the full log file content in JSON format without parsing it.
4. How can the community help?
The Powershell script get the full log file content in the same message and it seems the parse_json(); does not succeed of getting the data and format it correctly.
Do I need to adapt the PowerShell code to read the lines instead of getting the file content to suits NXLOGS parameters or am I getting in the wrong direction or is this thread is out-of-the-scope of Graylog ?
Thank you !