Log Types: MSDNSServer
- Leigh Purdie (Unlicensed)
Overview
Microsoft Windows server operating systems can run the DNS Server service. This is a monolithic DNS server that provides many types of DNS service, including caching, Dynamic DNS update, zone transfer, and DNS notification. DNS notification implements a push mechanism for notifying a select set of secondary servers for a zone when it is updated.
Collection
The Microsoft DNS Server generates two types of log data:
DNS Server and DNS client messages in the normal Windows EventLog
These can be captured by the Snare for Windows agent in normal event collection mode
A text-format, append-only 'debug' level log, by default, in the directory C:\WINDOWS\system32\dns\
These can be captured by the Snare for Windows agent in the 'epilog' file monitoring mode.
This document provides information on the DNS debug log data.
Instructions on how to configure the Snare for Windows Epilog component can be found here:
Sample Events
4/06/2015 6:54:13 PM 0780 PACKET 0000000006AC8290 UDP Snd 169.254.253.79 4ca5 R Q [8085 A DR NOERROR] AAAA (15)MYSERVER1-TEST(5)snare(2)ia(0) (16)MYSERVER1-TESTB(5)snare(2)ia(0)
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | MSDNSServer |
STRING | Any content in the MSDNSServer event the does not fit into the other fields, will be included in this field |
DNSNAME | The Microsoft DNS server uses a 'serialized' format for the DNS names that it reports in the log file. For example, myhost.mydomain.com would be reported as [6]myhost[8]mydomain[3]com[0] This field will contain a 'deserialized' copy of each serialized domain found in the STRING section of the event, separated by commas. eg: myhost.mydomain.com,myotherhost.mydomain.com |
Notes
-