NXLog search
Let's Talk Start free
Let's Talk
6.10

Microsoft DNS Server (xm_msdns)

This module supports parsing Microsoft DNS Server debug logs in the standard, single-line format. It registers an InputType with the name of the module instance. It also provides the parse_msdns() procedure to parse individual events or strings.

xm_msdns does not support the multi-line detailed logging format generated when the DNS Server’s Details option is activated. For detailed DNS debugging, refer to Parsing detailed DNS debug logs.

  • When using the module with InputType, it silently discards events that it cannot parse. Ensure that events are in the standard Microsoft DNS Server debug log format and and that you set the DateFormat correctly to avoid data loss.

  • There are instances when Microsoft DNS does not recreate the log file when it reaches the maximum size. Refer to The disappearing Windows DNS debug log for more information. See Rotate and delete log files for how to rotate log files with NXLog Agent.
To examine the supported platforms, see the list of installation packages.

Configuration

The xm_msdns module accepts the following directives in addition to the common module directives.

Optional directives

DateFormat

Specify the event timestamp format. The format must be a string compatible with the C strptime(3) function.

The default format is %m/%d/%y %I:%M:%S %p.

EventLine

Boolean directive to specify whether to keep EVENT records.

If set to FALSE, the module discards EVENT records. The default is TRUE.

Only applies when using the module with InputType.

NoteLine

Boolean directive to specify whether to keep NOTE records.

If set to FALSE, the module discards NOTE records. The default is TRUE.

Only applies when using the module with InputType.

PacketLine

Boolean directive to specify whether to keep PACKET records.

If set to FALSE, the module discards PACKET records. The default is TRUE.

Only applies when using the module with InputType.

Procedures

The following procedures are exported by xm_msdns.

parse_msdns();

Parse the $raw_event field as a standard Microsoft DNS debug log record and populate the event fields.

parse_msdns(type: string source);

Parse the given string as a standard Microsoft DNS debug log record and populate the event fields.

Fields

The following fields are used by xm_msdns.

$raw_event (type: string)

The raw event string.

$AuthoritativeAnswer (type: boolean)

For PACKET events only. It is set to TRUE if the "Authoritative Answer" flag is set.

$Context (type: string)

The event type. It can be PACKET, EVENT, or NOTE.

$EventDescription (type: string)

The description of EVENT type records.

$EventTime (type: datetime)

The event timestamp.

$FlagsHex (type: string)

For PACKET events only. The flags in hexadecimal.

$InternalPacketIdentifier (type: string)

For PACKET events only. An internal ID corresponding with the event.

$Message (type: string)

The free-form message in certain PACKET events. For example, some PACKET events include a message such as Response packet 000001D1B80209E0 does not match any outstanding query.

$Note (type: string)

For NOTE events only. Contains the event note.

$Opcode (type: string)

For PACKET events only. It can be Standard Query, Notify, Update, or Unknown.

$ParseFailure (type: string)

The remaining, unparsed portion of a record that does not match the expected format.

$Protocol (type: string)

For PACKET events only. It can be TCP or UDP.

$QueryResponseIndicator (type: string)

Indicates whether a PACKET event corresponds with a query or a response. It can be Query or Response.

$QuestionName (type: string)

For PACKET events only. Contains the lookup value. For example, example.com.

$QuestionType (type: string)

For PACKET events only. Contains the lookup type. For example, A or AAAA.

$RecursionAvailable (type: boolean)

For PACKET events only. It is set to TRUE if the "Recursion Available" flag is set.

$RecursionDesired (type: boolean)

For PACKET events only. It is set to TRUE if the "Recursion Desired" flag is set.

$RemoteIP (type: string)

For PACKET events only. The IP address of the requesting client.

$ResponseCode (type: string)

For PACKET events only. The DNS Server response code.

$SendReceiveIndicator (type: string)

For PACKET events only. Indicates the packet. It can be Snd or Rcv.

$ThreadId (type: string)

The ID of the thread that produced the event.

$TruncatedResponse (type: boolean)

For PACKET events only. It is set to TRUE if the "Truncated Response" flag is set.

$Xid (type: string)

For PACKET events only. The hexadecimal XID.

Examples

Example 1. Collecting Microsoft DNS debug logs from a file

This configuration collects Microsoft DNS debug logs from the default location. It sets the InputType directive to the name of the xm_msdns module instance to parse all incoming records.

nxlog.conf
<Extension dns_parser>
    Module      xm_msdns
</Extension>

<Input dns_logs>
    Module      im_file
    File        'C:\Windows\System32\dns\dns.log'
    InputType   dns_parser
</Input>

The following is a Microsoft DNS PACKET log record.

Input sample
8/24/2025 10:42:15 PM 1A2 PACKET  0000026E3A1F3D20 UDP Rcv 10.0.0.15    0000   Q [0001   D   NOERROR] A      (3)www(7)example(3)com(0)

When the NXLog Agent configuration above processes this message, it adds the following fields to the log record.

Field Value

$EventTime

2025-08-24 22:42:15

$ThreadId

1A2

$Context

PACKET

$InternalPacketIdentifier

0000026E3A1F3D20

$Protocol

UDP

$SendReceiveIndicator

Rcv

$RemoteIP

10.0.0.15

$Xid

0000

$QueryResponseIndicator

Query

$Opcode

Standard Query

$FlagsHex

0001

$RecursionDesired

true

$FlagsChar

D

$ResponseCode

NOERROR

$QuestionType

A

$QuestionName

www.example.com

$EventReceivedTime

2025-08-24 22:42:35

$SourceModuleName

dns_logs

$SourceModuleType

im_file

$Hostname

DNS-1
Example 2. Parsing Microsoft DNS debug logs from JSON

This configuration receives logs over TCP in JSON format. Each JSON record comprises a Timestamp, Hostname, and Event field, the latter of which contains Microsoft DNS debug log events.

nxlog.conf
<Extension dns_parser>
    Module      xm_msdns
</Extension>

<Extension json>
    Module      xm_json
</Extension>

<Input dns_logs>
    Module      im_tcp
    ListenAddr  0.0.0.0:1514
    <Exec>
        parse_json(); (1)
        parse_msdns($Event); (2)

        delete($Timestamp) (3)
        delete($Event);
    </Exec>
</Input>
1 Parses the JSON log records with xm_json's parse_json() procedure.
2 Parses the $Event field with xm_msdns's parse_msdns() procedure.
3 Deletes the redundant $Timestamp and $Event fields.

The following is a Microsoft DNS PACKET log record encapsulated in a JSON object.

Input sample
{
  "Timestamp": "2025-08-24T23:50:22",
  "Hostname": "DNS-1",
  "Event":"8/24/2025 10:42:15 PM 1A2 PACKET  0000026E3A1F3D20 UDP Rcv 10.0.0.15    0000   Q [0001   D   NOERROR] A      (3)www(7)example(3)com(0)"
}

When the NXLog Agent configuration above processes this message, it adds the following fields to the log record.

Field Value

$EventReceivedTime

2025-08-24 23:50:34

$SourceModuleName

dns_logs

$SourceModuleType

im_tcp

$Hostname

DNS-1

$EventTime

2025-08-24 22:42:15

$ThreadId

1A2

$Context

PACKET

$InternalPacketIdentifier

0000026E3A1F3D20

$Protocol

UDP

$SendReceiveIndicator

Rcv

$RemoteIP

10.0.0.15

$Xid

0000

$QueryResponseIndicator

Query

$Opcode

Standard Query

$FlagsHex

0001

$RecursionDesired

true

$FlagsChar

D

$ResponseCode

NOERROR

$QuestionType

A

$QuestionName

www.example.com

© Copyright NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS