Transfer TLS Windows Server 2012R2 DNS logs by nxlog towards ELK pile on debian

Hello everyone!

I'm new to the forum, so, I appeal to you because I meet a problem in viewing my DNS logs on ELK stack.
Here is my problem: I have Windows Server 2012R2 VM with nxlog above . The configuration file is the following :

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _json>
	Module      xm_json

<Input dnslog>
    Module      im_file
    File        "C:\\dns-log.log"
    InputType    LineBased
    Exec $Message = $raw_event;
    SavePos TRUE

<Output out>
    Module      om_ssl
    CAFile      %CERTDIR%\logstash-forwarder.crt
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();

<Route 1>
    Path        dnslog => out

My ELK stack run on debian. This are config files :

 input {
 tcp {
          codec =>line { charset => CP1252 }
          port => PORT_DU_SERVEUR_LOGSTASH
	  ssl_verify => false
	  ssl_enable => true
	  ssl_cert => "/etc/pki/tls/certs/logstash-forwarder.crt"
	  ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
	  type => "nxlog"

filter {
    if [type] == "nxlog" {
	 grok {
	   match => [ "message", "(?<date_n_time_us>%{DATE_US} %{TIME} (?:AM|PM))%{SPACE}%{WORD:dns_thread_id}%{SPACE}%{WORD:dns_context}%{SPACE}%{WORD:dns_internal_packet_identifier}%{SPACE}%{WORD:dns_protocol}%{SPACE}%{WORD:dns_direction}%{SPACE}%{IP:dns_ip}%{SPACE}%{WORD:dns_xid}%{SPACE}(?<dns_query_type>(?:Q|R Q))%{SPACE}[%{NUMBER:dns_flags_hex}%{SPACE}%{WORD:dns_flags_chars}%{SPACE}%{WORD:dns_response_code}]%{SPACE}%{WORD:dns_question_type}%{SPACE}%{GREEDYDATA:dns_question_name}" ]

output {
	elasticsearch {
	  hosts => ["localhost:9200"]
	  sniffing => true
	  manage_template => false 
	  index => "%{[@metadata][nxlog]}-%{+YYYY.MM.dd}"
	  document_type => "%{[@metadata][type]}"
	stdout {
	  codec => rubydebug

Issue : I can not view my DNS logs on Kibana. Also configure a dashboard . I'm not sure of my configuration files for Logstash , especially the "filter" section and "output". However, when I type the command ngrep INTERFACE -d -t -W byline on my debian, I have queries that appears to be from my WS, so my logs are well received.

Could you help me ?

Thank you very much for your time ! And sorry for my english writing...

Have you looked at using winlogbeat instead of nxlog?

I know that doesn't solve your problem immediately, but I am not sure how many people have nxlog experience - it's been a few years since I last used it.

Did you find a solution as I'm also trying to send DNS logs to Logstash and can't get it working. I'm using Winlogbeat for the Eventlogs but I don't think there is a way to send the DNS logs which are being captured in 'debug' mode to Logstash. I'm using the following config ( c:\dnslog\dnslogs.txt is where the
debug dns info is being saved)

This is a sample configuration file. See the nxlog reference manual about the

configuration options. It should be installed locally and is also available

online at

Please set the ROOT to the folder your nxlog was installed into,

otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_syslog Module xm_json Module im_file File 'C:\DNSLog\dnslogs.txt' SavePos TRUE InputType LineBased Exec $Message = $raw_event; Module om_tcp Host Port 5041 Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; \ to_json();

<Route 1>
Path DNS => out

On the Logstash side I have the following

input {
beats {
port => 5041
type => "logs"

ssl => false

ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"

ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"



After investigation, I found that's because nxlog/winlogbeat/etc... haven't right for read this file C:\DNSLog\dnslogs.txt.

So, you need to specify another path to save your log, or add right to your program.

thx..I'll look into it.