Full disclosure, I am not a Windows admin and neither a Windows expert.
As of Windows 2012 r2, it is supported to record DNS Analytic logs in Windows DNS server. My task is to get those logs to a remote server (preferbly using NXLog), but it appears that this is not as trivial as I would have hoped.
I am however failry new to Analytic logging in windows and hence I might have missed an easy way to do it.
I found an article from Microsoft describing how to enable this kind of logging and another article describing the use of this in network forensics.
I am however unable to read the logs unless I disable the analytic source if I am using log rotation. If I however enable no overwriting of the log, and drop once its full, I can read the log but I cannot clear it unless I restart the analytic source.
I understand it is an option to send this Analytic log to an Operational destination, but I have been unable to figure out how to do that. Is that possible? I am aware that ther emight performance degradation, once I reach above 100k QPS on the DNS server.
So sum it all up, what i want to achive is the same as in the network forensic article linked above, one way or another. My current "solution" consists of a script stopping the source, dumping hte logs to a csv file, then starting the source again and hence I am able to get the data. I hope however there are a more streamlined solution. Any pointers of links to articles helping me to achive the above is appreciated.
Windows dns analytic logging to remote destination
loggingwindows-dnswindows-event-logwindows-server-2012-r2
Related Topic
- Windows Event Log Forwarding – Setup and Configuration
- Simple and reliable centralized logging inside Amazon VPC
- Windows Forward Events Missing User Data and Description
- .Net 3.5 – Installing on Windows Server 2012 R2
- Disabling dynamic DNS updates with Group Policy
- NXLog TCP Module Not Working
- Windows Update 800F0922
Best Answer
I agree that reading ETL channel to get DNS logs would be the best solution, but only if they would continously be written and accessible - however it's not the case as you mentionned-. Therefore I can propose you several solutions to collect Windows DNS server logs: