Parse DNS Server - Analytical log to Wazuh
26 views
Skip to first unread message
Yap Toni
Dec 23, 2025, 9:01:03 PM (2 days ago) Dec 23
to Wazuh | Mailing List
Hi,
I want to parse the log of Microsoft-Windows-DNSServer/Analytical in my windows server to my wazuh.
In my windows agent ossec.conf, I have added
<localfile>
<location>Microsoft-Windows-DSNServer/Analytical</location>
<log_format>eventchannel</log_format>
</localfile>
But still no receive the log in my wazuh.
Thank you
hasitha.u...@wazuh.com
Dec 23, 2025, 10:52:06 PM (2 days ago) Dec 23
to Wazuh | Mailing List
Hi Yap,
Make sure to restart the Wazuh agent to apply changes.
Restart-Service -Name wazuh
However, you can check these logs reaching the Wazuh manager by enabling archives.json logs.
To capture the logs from archives.json, please follow these steps:
1. Enable log_all_json on Wazuh Manager
Update the ossec.conf file on the Wazuh manager to enable log_all_json.
2. Reproduce the Event
Trigger the event again to capture the relevant logs.
3. Extract Relevant Logs
Run the following command on the Wazuh manager:
cat /var/ossec/logs/archives/archives.json | grep -iE "<related string>"
Replace <related string> with a relevant value from the log to filter the specific entries.
4. Disable log_all_json
After capturing the logs, disable log_all_json in the ossec.conf file to prevent excessive storage usage.
Share the sample log that you have taken from archives.json with us.
Ref: https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving
Warning
Keeping <logall_json>yes</logall_json> on can fill up your disk fast! Once you’re done troubleshooting, set it back to no in /var/ossec/etc/ossec.conf and restart the manager:
systemctl restart wazuh-manager
Please share the sample logs if you are able to capture from the archives.json logs.
Let me know the update on this.
I noticed that the location tag value in the shared configuration is misspelled. According to Microsoft-Windows-DNSServer/Analytical, it should be Windows-DNSServer, not Windows-DSNServer.
Therefore, please configure it as shown below in the agent ossec.conf file. <localfile> <location>Microsoft-Windows-DNSServer/Analytical</location> <log_format>eventchannel</log_format> </localfile>Make sure to restart the Wazuh agent to apply changes.
Restart-Service -Name wazuh
However, you can check these logs reaching the Wazuh manager by enabling archives.json logs.
To capture the logs from archives.json, please follow these steps:
1. Enable log_all_json on Wazuh Manager
Update the ossec.conf file on the Wazuh manager to enable log_all_json.
2. Reproduce the Event
Trigger the event again to capture the relevant logs.
3. Extract Relevant Logs
Run the following command on the Wazuh manager:
cat /var/ossec/logs/archives/archives.json | grep -iE "<related string>"
Replace <related string> with a relevant value from the log to filter the specific entries.
4. Disable log_all_json
After capturing the logs, disable log_all_json in the ossec.conf file to prevent excessive storage usage.
Share the sample log that you have taken from archives.json with us.
Ref: https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving
Warning
Keeping <logall_json>yes</logall_json> on can fill up your disk fast! Once you’re done troubleshooting, set it back to no in /var/ossec/etc/ossec.conf and restart the manager:
systemctl restart wazuh-manager
Please share the sample logs if you are able to capture from the archives.json logs.
Let me know the update on this.
Yap Toni
Dec 24, 2025, 12:27:11 AM (yesterday) Dec 24
to Wazuh | Mailing List
Hi Hasitha,
Thank you for replying. I'm still unable to receive log in Wazuh.
In my agent log, there is an error:
ERROR: Could not EvtSubscribe() for (Microsoft-Windows-DNSServer/Analytical) which returned (50)
Thank you
Reply all
Reply to author
Forward
0 new messages