Windows DNS Analytics log with NXLOGS and Powershell script parser

1. Describe your incident:

I would like to ingest Windows Server DNS Analytics & Debug log without the im_msvistalog module which does not give the result I want (even if the logs are parsed, they are not ingested in real times).

I want to use:

im_file module
powershell script module that is parsing the log automatically

2. OS & Package Information:

  • Rocky Linux 9
  • docker compose 2.18.1
  • Graylog 5.1.2
  • traefik 2.10.1
  • mongodb 6.0.6
  • elasticsearch 7.10.2
  • Windows Server DNS
  • nxlog latest
  • sidecar latest

3. What steps have you already taken to try and solve the problem?

First step - without any parsing

I have enabled Analytics Logs with a alternative way than Event Viewer.


I am already ingesting DNS Analytics logs without parsing with the im_file module:

<Input dns_analytics>
    Module      im_file
    File        "C:\Windows\Logs\DNS\srvad1_dns.log"


<Route route-2>
  Path dns_analytics => gelf

Graylog displays the raw logs:

Second step - trying to parse

Then I found a powershell script written by a Microsft employee that is parsing DNS Debug Log automatically: winposh/Get-DNSDebugLog.ps1 at main · maxbakhub/winposh · GitHub

  • If you execute the PS script and choose to export to CSV, it look like this:
"06/07/2023 09:11:03","Query","","Rcv","UDP","A",""
"06/07/2023 09:11:03","Query","","Rcv","UDP","65",""
"06/07/2023 09:11:03","Response","","Snd","UDP","A",""
"06/07/2023 09:11:03","Query","","Snd","UDP","65",""
"06/07/2023 09:11:03","Response","","Rcv","UDP","65",""
"06/07/2023 09:11:03","Response","","Snd","UDP","65",""
  • If you execute the PS script and choose to convert the result to JSON format
Get-DNSDebugLog -DNSLog "C:\Windows\Logs\DNS\srvad1_dns.log" | ConvertTo-Json -Compress | Write-Output

It will look like this:

[{"DateTime":{"value":"\/Date(1688641405000)\/","DateTime":"jeudi 6 juillet 2023 13:03:25"},"Query/Response":"Query","Client":{"Address":xxxxxxxxxx,"AddressFamily":2,"ScopeId":null,"IsIPv6Multi

I tried adding a sidecar

<Input powershell_analytic_dns>
    Module  im_exec
    Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    Arg     -File 
    Arg     %CONFDIR%\Get-DNSDebugLog.ps1
        # Parse JSON

<Route route-3>
  Path powershell_analytic_dns => gelf

And graylogs display the full log file content in JSON format without parsing it.

4. How can the community help?

The Powershell script get the full log file content in the same message and it seems the parse_json(); does not succeed of getting the data and format it correctly.

Do I need to adapt the PowerShell code to read the lines instead of getting the file content to suits NXLOGS parameters or am I getting in the wrong direction or is this thread is out-of-the-scope of Graylog ?

Thank you !

I changed my method of ingest and I’ve followed this method:

And it works like a charm !

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.