Windows ETW logs (DNSServer Analytics logs) not getting ingested

I am trying to ingest DNSServer Analytics logs to my ELK stack (V-8.14) but the logs are not getting ingested, below is the configurations i added in my elastic-agent.yml file:

Trial 1:

   - type: etw
     id: etw-dnsserver
     enabled: true
     provider.name: Microsoft-Windows-DNSServer
     session_name: DNSServer-Analytical
     trace_level: verbose
     match_any_keyword: 0x8000000000000000
     match_all_keyword: 0  

Trial 2: using the path of the file,

   - type: etw
     enabled: true
     id: etw-dnsserver-session
     file: "C:\WINDOWS\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl"  

I got this configurations from elastic documentation : ETW input | Filebeat Reference [8.15] | Elastic

i also directly tried with filebeat using the path but the data comes in a encoded format which was not readable.

Elastic stack version : 18.4
Elastic agent version: 18.4

Isn't this the integration you need Microsoft DNS Server | Documentation

I am using the same integration, and given the above mentioned configurations in agent file but still data is not coming.

Are you using filebeat or the integration to try this out?

Something to check out is if you have the events enabled, since DNS Analytical events are disabled by default. You need to follow the guide in order to enable them.

I am using the Integration configurations inside my elastic agent.

The DNS analytics logs are enabled and i can see them in windows. But not getting ingested to Elastic search

I am trying to setup the same integration.

No Data Stream is created for Elastic-DNSServer-Analytical
The Data Stream does work for Microsoft-Windows-DNSServer/Audit

I followed the guide to enable ETW tracing.

Were you able to figure this out?

I was able to get the DNSServer Analytics data with ETW configuration,
but observed that the data stops when elastic agent restarts.

when i investigate i see error log that :
Input 'etw' failed with: realtime session could not be created: session already exists: Cannot create a file when that file already exists.

so etw creates a session and collects data, but when agent is restarted, it is not able create a new session or get data from existing session.

any solution to this ?

Can you share your configuration so I can attempt to reproduce?

I have a the same problem.
I have data from Audit, but I don't from Analytical.

After added path to this file, the logs was load to index.

C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl

But that didn't still work.

Configuration:

Session-Name: DNSServer-Analytical
File:
C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl
Match all keyword: 
0x8000000000000000
Ingest pipeline: logs-microsoft_dnsserver.analytical-1.0.1
Mapping: 
logs-microsoft_dnsserver.analytical@package
logs-microsoft_dnsserver.analytical@custom

Elastic-Agent version 8.17.0

The description of the integration states:

"When specifying a provider, a new session is created. This controls the name for the new ETW session it will create. If not specified, the session will be named using the provider ID prefixed by 'Elastic-'.":

image561×150 14 KB

According to the configuration @Mario_22 posted - the Session-Name is not prefixed with "Elastic-" (so a "provider was specified"..?)
And according to the error-message @suhasbhatt101 provided there already exists a session.. (so "a new session is created")

Seems something got messed up with the specification of the ETW-Providers?
Maybe this helps:

It finally works.

For some reason it stopped working (maybe a Windows update). And there was a problem with connecting to the Session. It's worth checking

Get-EtwTraceProvider -guid '{EB79061A-A566-4698-9119-3ED2807060E7}'

how many sessions there are. And it seems that restarting the integration and DNS settings will allow connecting to the session, or will create a new one.

In my case, something was blocking (or duplicating the session)