Sending DNS logs to Log Server

[rferebee]

Good morning,

Due to the recent Sunburst vulnerability, we'd like to enable DNS logging in our Log Server environment and pull logs from 7 different NS's. I don't think this is something we've ever done in the past and I'm not sure where to start. I'm thinking an adjustment needs to be made to the NSLog config file on the DNS hosts and perhaps a custom filter created in the Log Server console. I cannot find anything in the Nagios KB or in the forums.

I have attached our current NSLog config file (redacted).

Could someone please assist me? Thank you!

[cdienger]

I assume the DNS servers are Windows servers. Are the events you want to import in event viewer or log files? https://nxlog.co/documentation/nxlog-us ... server.htm covers collecting logs via debug logging(log files) and event viewer:

https://nxlog.co/documentation/nxlog-us ... ed_logging
https://nxlog.co/documentation/nxlog-us ... msvistalog

[rferebee]

I think their site must be down. I cannot get to those guides at all.

In any event, thank you Craig.

[cdienger]

No problem. I just tested the links again and after fixing the typo in the first link(https://nxlog.co/documentation/nxlog-us ... erver.html), they all appear to be up and accessible.

[rferebee]

Good morning, it appears the nxlog.co site is back up.

Two very helpful links you provided, thank you again.

I do have some questions though. We're only using the CE version of NXlog, which does not include the xm_msdns module. But, it looks like we can use the im_file module with multiline since we're collecting detailed DNS logs. I'm unsure if I've properly setup my .CONF file with the entries suggested in this KB: https://nxlog.co/documentation/nxlog-us ... g-detailed

Can you take a look at my "new" .CONF compared to my old one to see if I'm setting it up correctly?

Thank you.

[ssax]

That looks good, it's working from mine with your configs, the only things I changed was changing the nagioslogserver name to an IP since I don't have a DNS record for it AND my DNS log file path is different.

[rferebee]

Awesome! Thank you Sean. I'll let you know how my testing goes.

[ssax]

Actually, I changed this code as well:

Code: Select all

<Route 1>
    Path internal, file1, eventlog => out
</Route>

This:

Code: Select all

<Route 1>
    Path internal, file1, eventlog, in => out
</Route>

[rferebee]

Is there someone who can help me in greater capacity? I can open a ticket if need be.

I have not been able to get this working the way we need it. I think it may have to do with the header information coming through from the DNS logs were attempting to collect.

[ssax]

Are you seeing the DNS logs coming into Log Server? If not, uncomment this line:

Code: Select all

# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");

Then restart nxlog, wait for some DNS logs to come through, and then attach the nxlog_output.log file from the windows system so we can review it.

Disable that change after so it doesn't fill up your hard drive.

If you are seeing them in the Log Server interface but they are not parse properly, please PM me a fresh copy of your LS Profile.

You can either do that here or in a ticket you create, it's up to you.