This version requires Graylog 3.1 minimum, check tags for previous versions.
(Tested with Filebeats/Windows 2016 R2/Graylog 3.1)
Note this was built using filebeats as the log exporter. It is possible to use your own input with nxlog or alternatives but will require manually importing the extractors_standalone.json to the input.
Newer versions of nxLog with Gelf 1.1 support require an additional parameter for the gelf module “ShortMessageLength -1”
- Input (TCP_WindDNS_1555 - Beats/TCP/1555) w/ Extractors (WinDNS_Debug_Log, WinDNS_Name)
- GROK Patterns (prefixed with WINDNS to avoid override)
- Dashboards (DNS requests (24h), DNS requests (7d))
- Graylog 3.1
- Windows DNS server configured for “Log packets for debugging” & “Packet direction: Incoming”
- A log exporter/collector such as nxlog or filebeats monitoring the log file path specified in dns debug (e.g. c:\temp\dns_log.txt)
- Create a dynamic ES template to force the ThreadID field type to “keyword”, otherwise ES may dynamically map the field type as INT which would cause indexing errors later on when an alphanumeric ThreadID comes around.