I have been doing some experimentation in hopes of exporting and analyzing Microsoft AD DNS debug logs. The project goal is to export the relevant data to a Graylog analyzer with an Elasticsearch back-end. The basic steps are trivial. The biggest issue faced is being able to correctly parse the DNS debug logs so the data can be parsed and sent to the log analyzer. We are using NXLOG to ship the data to Graylog. The problems arise in the inconsistent format used by Microsoft in the log formatting.
Here are just a few of the problems:
I point all this out simply to indicate how difficult it is to properly parse and rely upon the integrity of the native DNS debug log produced by AD DNS server. DNS logging and proper analysis is critical in enforcing excellent network security. Microsoft makes it quite difficult by not incorporating better logging mechanisms into their AD DNS server.
I am working on a project that will hopefully remedy that problem.
I did notice in the Graylog Marketplace, there is a Content Pack listed called Windows DNS Content Pack. I did attempt to use this and it does a decent job of adding the proper Grok patterns and Extractors along with a decent dashboard. The output data was not very well formatted (a limitation of Grok) and proved less useful than I hoped.
As of 10-08-2015, I have solved what I set out to do. I have NXLog sending data from my AD servers. I was able to build a Graylog Plugin using Java to act as an input and parser for my DNS Debug data. I will write a separate post on this shortly and post the plugin on my Github site.