Transfer TLS Windows Server 2012R2 DNS logs by nxlog towards ELK pile on debian

Elastic Stack Logstash
1

Hello everyone!

I'm new to the forum, so, I appeal to you because I meet a problem in viewing my DNS logs on ELK stack.
Here is my problem: I have Windows Server 2012R2 VM with nxlog above . The configuration file is the following :

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _json>
	Module      xm_json
</Extension>

<Input dnslog>
    Module      im_file
    File        "C:\\dns-log.log"
    InputType    LineBased
    Exec $Message = $raw_event;
    SavePos TRUE
</Input>

<Output out>
    Module      om_ssl
    Host        IP_DU_SERVEUR_LOGSTASH
    Port        PORT_DU_SERVEUR_LOGSTASH
    CAFile      %CERTDIR%\logstash-forwarder.crt
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Output>		 

<Route 1>
    Path        dnslog => out
</Route>

My ELK stack run on debian. This are config files :

 input {
 tcp {
          codec =>line { charset => CP1252 }
          port => PORT_DU_SERVEUR_LOGSTASH
	  ssl_verify => false
	  ssl_enable => true
	  ssl_cert => "/etc/pki/tls/certs/logstash-forwarder.crt"
	  ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
	  type => "nxlog"
}

filter {
    if [type] == "nxlog" {
	 grok {
	   match => [ "message", "(?<date_n_time_us>%{DATE_US} %{TIME} (?:AM|PM))%{SPACE}%{WORD:dns_thread_id}%{SPACE}%{WORD:dns_context}%{SPACE}%{WORD:dns_internal_packet_identifier}%{SPACE}%{WORD:dns_protocol}%{SPACE}%{WORD:dns_direction}%{SPACE}%{IP:dns_ip}%{SPACE}%{WORD:dns_xid}%{SPACE}(?<dns_query_type>(?:Q|R Q))%{SPACE}[%{NUMBER:dns_flags_hex}%{SPACE}%{WORD:dns_flags_chars}%{SPACE}%{WORD:dns_response_code}]%{SPACE}%{WORD:dns_question_type}%{SPACE}%{GREEDYDATA:dns_question_name}" ]
	 }
    }
}

output {
	elasticsearch {
	  hosts => ["localhost:9200"]
	  sniffing => true
	  manage_template => false 
	  index => "%{[@metadata][nxlog]}-%{+YYYY.MM.dd}"
	  document_type => "%{[@metadata][type]}"
	}
	stdout {
	  codec => rubydebug
	}
}

Issue : I can not view my DNS logs on Kibana. Also configure a dashboard . I'm not sure of my configuration files for Logstash , especially the "filter" section and "output". However, when I type the command ngrep INTERFACE -d -t -W byline on my debian, I have queries that appears to be from my WS, so my logs are well received.

Could you help me ?

Thank you very much for your time ! And sorry for my english writing...

2

Have you looked at using winlogbeat instead of nxlog?
https://www.elastic.co/guide/en/beats/winlogbeat/current/index.html

I know that doesn't solve your problem immediately, but I am not sure how many people have nxlog experience - it's been a few years since I last used it.

3

Did you find a solution as I'm also trying to send DNS logs to Logstash and can't get it working. I'm using Winlogbeat for the Eventlogs but I don't think there is a way to send the DNS logs which are being captured in 'debug' mode to Logstash. I'm using the following config ( c:\dnslog\dnslogs.txt is where the
debug dns info is being saved)

This is a sample configuration file. See the nxlog reference manual about the

configuration options. It should be installed locally and is also available

online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

Please set the ROOT to the folder your nxlog was installed into,

otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_syslog Module xm_json Module im_file File 'C:\DNSLog\dnslogs.txt' SavePos TRUE InputType LineBased Exec $Message = $raw_event; Module om_tcp Host 172.20.1.239 Port 5041 Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; \ to_json();

<Route 1>
Path DNS => out

On the Logstash side I have the following

input {
beats {
port => 5041
type => "logs"

ssl => false

ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"

ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"

}
}

4

Hello,

After investigation, I found that's because nxlog/winlogbeat/etc... haven't right for read this file C:\DNSLog\dnslogs.txt.

So, you need to specify another path to save your log, or add right to your program.

5

thx..I'll look into it.