Microsoft Windows DNS Server Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Microsoft Windows DNS Server is the DNS server role built into Windows Server. This technology pack processes Windows DNS Server Analytic (ETW) and Audit event logs, providing normalization and enrichment of DNS query, response, and administrative events.

Supported Versions

  • Windows Server 2016 or later

  • Filebeat 8.13.0-8.19.x

Requirements

  • Graylog 6.1.0+ with a valid Enterprise license

  • Windows Server 2016 or later with the DNS Server role installed

  • DNS Analytic and/or Audit logging enabled on the DNS server

  • Filebeat 8.13.0-8.19.x installed on the DNS server host

Log Collection and Delivery

DNS Server logs are collected via Filebeat running on the DNS server host and delivered to a Graylog Beats input.

Analytic Log Collection (ETW)

DNS Analytic logs capture every DNS query and response in real time via the Event Tracing for Windows (ETW) provider.

  1. Enable DNS Analytic logging on the DNS server: dnscmd /config /logLevel 0x8100F331 or via DNS Manager -> Debug Logging.

  2. Configure Filebeat with an ETW input targeting the Microsoft-Windows-DNSServer provider. The session_name must be set to DNSServer-Analytical.

  3. Deliver events to your Graylog Beats input.

Audit Log Collection (Winlog)

DNS Audit logs capture administrative changes such as zone creation, record modifications, and server configuration changes.

  1. DNS Audit logging is enabled by default on Windows Server 2012 R2 and later.

  2. Configure Filebeat with a Winlog input for the channel Microsoft-Windows-DNSServer/Audit.

  3. Deliver events to your Graylog Beats input.

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Windows DNS Server Event Messages"

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Windows DNS Server Event Messages"

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

What is Provided

  • Parsing rules to extract Windows DNS Server Analytic and Audit logs into Graylog schema compatible fields

  • GIM event type code assignment for all supported message types

  • Domain element extraction (SLD, TLD) from queried FQDNs

  • Windows DNS Server Spotlight content pack

Events Processed by This Technology Pack

The content pack processes events from two Windows DNS Server log sources.

  • Analytic events (Event IDs 256-280): DNS queries, responses, recursive lookups, zone transfers, and dynamic updates captured via ETW

  • Audit events (Event IDs 512-582): Administrative changes including zone create/delete/update, record modifications, DNSSEC operations, server configuration changes, and policy operations

GIM Categorization

GIM categorization is provided for the following messages:

Event IDs Log Type gim_event_type_code gim_event_class gim_event_category gim_event_subcategory gim_event_type
256, 259, 260, 261, 279, 280 Analytic 140000 protocol name resolution name resolution.dns request dns query
257 Analytic 140200 protocol name resolution name resolution.dns answer dns response
258, 271 Analytic 140200 + 140300 protocol name resolution name resolution.dns answer + name resolution.error dns response + dns error
263 Analytic 140000 + 140500 protocol name resolution name resolution.dns request + name resolution.ddns update dns query + ddns update
264 Analytic 140200 + 140500 protocol name resolution name resolution.dns answer + name resolution.ddns update dns response + ddns update
519, 520 Audit 140500 protocol name resolution name resolution.ddns update ddns update
265-276 Analytic 149999 protocol name resolution name resolution.default dns message (zone transfer)
512-518, 522-523, 559-566 (ZONE_OP) Audit 211000 endpoint service service.configuration service configuration change
521, 552, 567 (AGEING) Audit 211000 endpoint service service.configuration service configuration change
525-535 (OnlineSigning, DNSSEC_OP) Audit 211000 endpoint service service.configuration service configuration change
536 (CACHE_OP) Audit 211000 endpoint service service.configuration service configuration change
537, 540-548 (Configuration, SERVER_OP) Audit 211000 endpoint service service.configuration service configuration change
549-558, 568-576 (SERVER_OP, VIRTUALIZATION_OP) Audit 211000 endpoint service service.configuration service configuration change
577-582 (POLICY_OP) Audit 211000 endpoint service service.configuration service configuration change

Fields Extracted by This Pack

Fields extracted vary by log type. Analytic events provide DNS query and response details; Audit events provide administrative action details.

Analytic Event Fields

Fields extracted from DNS Analytic (ETW) events (Event IDs 256-280).

Field Name Example Value Field Type Description
destination_ip 192.168.1.1 string Destination IP address extracted from the DNS event
destination_port 53 long Destination port number
destination_reference 192.168.1.1 string Destination reference (IP or hostname)
event_code 257 long Windows event ID
event_created 2025-03-13T09:48:40.620Z string Timestamp the event was created
event_outcome success string Outcome of the DNS query/response: success or failure
event_reporter WIN-DNSSERVER01 string Hostname of the Filebeat agent reporting the event
event_reporter_hostname WIN-DNSSERVER01 string FQDN or hostname of the reporting agent
event_reporter_ip 192.168.1.10 string IP address of the reporting agent
event_source WIN-DNSSERVER01 string Source host for the event
event_source_product windows_dns_server string Illuminate source product identifier
gim_event_category name resolution array GIM event category
gim_event_class protocol array GIM event class
gim_event_subcategory name resolution.dns request array GIM event subcategory
gim_event_type dns query array GIM event type
gim_event_type_code 140000 array GIM event type code(s)
network_bytes 143 long Size of the DNS packet in bytes
network_protocol dns string Network protocol (always dns)
network_transport udp string Transport protocol: tcp or udp
policy_name NULL string DNS policy name applied to the query (if any)
query_record_type A string DNS record type name (e.g. A, AAAA, MX, TXT)
query_record_type_code 1 string DNS record type code (QTYPE)
query_request www.example.com string Queried FQDN (trailing dot removed)
query_response undefined string DNS response content
query_result NOERROR string DNS RCODE name (e.g. NOERROR, NXDOMAIN, SERVFAIL)
query_result_code 0 string DNS RCODE numeric value
source_ip 192.168.1.50 string Source IP address of the DNS client
source_port 52341 long Source port of the DNS client
source_reference 192.168.1.50 string Source reference (IP or hostname)
vendor_data_elapsed_time 0 long Elapsed time for the query in milliseconds
vendor_data_flags 10240 string Raw DNS flags field value
vendor_data_forward_interface_ip 10.0.0.1 string IP of the forwarding interface (if applicable)
vendor_data_header_flags [] array Decoded DNS header flags (AA, AD, RD, TC)
vendor_data_interface_ip 192.168.1.10 string DNS server interface IP that received the query
vendor_data_packet_data 0x... string Hex-encoded raw DNS packet data
vendor_data_xid 62807 string DNS transaction ID
vendor_data_zone example.com string DNS zone associated with the event
vendor_data_zone_scope Default string Zone scope associated with the event
vendor_domain_sld example string Second-level domain extracted from the queried FQDN
vendor_domain_sld_tld example.com string Second-level domain + TLD
vendor_domain_tld com string Top-level domain extracted from the queried FQDN
vendor_event_category LOOK_UP string DNS event category (LOOK_UP, RECURSE_QUERY, DYNAMIC_UPDATE, ZONE_XFR)
vendor_event_category_code 1 long Numeric code for the DNS event category
vendor_event_description Query received string Human-readable description of the event
vendor_event_provider Microsoft-Windows-DNSServer string Windows event provider name
vendor_event_provider_guid {eb79061a-a566-4698-9119-3ed2807060e7} string GUID of the Windows event provider
vendor_event_session DNSServer-Analytical string ETW session name
vendor_event_severity information string Windows event severity level
vendor_input_type etw string Filebeat input type (etw)
vendor_opcode_code 0 string Windows event opcode code

Audit Event Fields

Fields extracted from DNS Audit (Winlog) events (Event IDs 512-582).

Field Name Example Value Field Type Description
event_code 519 long Windows event ID
event_created 2025-03-14T04:10:40.874Z string Timestamp the event was created
event_log_name Microsoft-Windows-DNSServer/Audit string Windows event log channel name
event_reporter WIN-DNSSERVER01 string Hostname of the Filebeat agent reporting the event
event_reporter_hostname WIN-DNSSERVER01.example.com string FQDN of the reporting host
event_source WIN-DNSSERVER01.example.com string Source host for the event
event_source_product windows_dns_server string Illuminate source product identifier
event_uid 97 string Windows event record ID
gim_event_category name resolution array GIM event category
gim_event_class protocol array GIM event class
gim_event_subcategory name resolution.ddns update array GIM event subcategory
gim_event_type ddns update array GIM event type
gim_event_type_code 140500 array GIM event type code(s)
network_bytes 4 long Buffer size in bytes (if available)
network_protocol dns string Network protocol (always dns)
source_ip 192.168.1.50 string Source IP address (for dynamic update events)
source_reference 192.168.1.50 string Source reference (IP or hostname)
user_category built_in, privileged array Illuminate user category tags
user_domain EXAMPLE string Windows domain of the user who performed the action
user_id S-1-5-21-... string Windows SID of the user
user_priority_level 4 long Illuminate user priority level
user_type User string Windows account type
user_name Administrator string Username of the account that performed the action
vendor_data_NAME win-dnsserver01 string DNS record name affected by the event
vendor_data_new_value 6143 string New value after a configuration change
vendor_data_old_value 0 string Previous value before a configuration change
vendor_data_property_key LogLevel string Name of the server property that was changed
vendor_data_qname * string Query name (for cache purge events)
vendor_data_rdata C0A81379 string Hex-encoded record data
vendor_data_scope Default string Zone or server scope (for cache purge events)
vendor_data_ttl 1200 long DNS record TTL value
vendor_data_type 1 string DNS record type code
vendor_data_virtualization_id . string Virtualization instance identifier
vendor_data_zone example.com string DNS zone affected by the event
vendor_data_zone_scope Default string Zone scope affected by the event
vendor_event_action create string Action performed: create, add, delete, update, or clear
vendor_event_category DYNAMIC_UPDATE string DNS event category (ZONE_OP, DYNAMIC_UPDATE, SERVER_OP, CACHE_OP, etc.)
vendor_event_category_code 3 long Numeric code for the DNS event category
vendor_event_description Record create - dynamic update string Human-readable description of the event
vendor_event_provider Microsoft-Windows-DNSServer string Windows event provider name
vendor_event_provider_guid {eb79061a-a566-4698-9119-3ed2807060e7} string GUID of the Windows event provider
vendor_event_severity information string Windows event severity level
vendor_input_type winlog string Filebeat input type (winlog)
vendor_opcode Info string Windows event opcode

Windows DNS Server Spotlight Content Pack

The Windows DNS Server Spotlight offers a dashboard with the following tabs:

DNS Analytic Events

DNS Audit Events

Domain Analysis