Parse DNS Server - Analytical log to Wazuh

[Yap Toni]

Hi, 

I want to parse the log of Microsoft-Windows-DNSServer/Analytical in my windows server to my wazuh.

In my windows agent ossec.conf, I have added

<localfile>

 <location>Microsoft-Windows-DSNServer/Analytical</location>

 <log_format>eventchannel</log_format>

</localfile>

But still no receive the log in my wazuh.

Thank you

[hasitha.u...@wazuh.com]

Hi Yap,

I noticed that the location tag value in the shared configuration is misspelled. According to Microsoft-Windows-DNSServer/Analytical, it should be Windows-DNSServer, not Windows-DSNServer.

Therefore, please configure it as shown below in the agent ossec.conf file. <localfile> <location>Microsoft-Windows-DNSServer/Analytical</location> <log_format>eventchannel</log_format> </localfile>

Make sure to restart the Wazuh agent to apply changes.
Restart-Service -Name wazuh

However, you can check these logs reaching the Wazuh manager by enabling archives.json logs.
To capture the logs from archives.json, please follow these steps:
1. Enable log_all_json on Wazuh Manager
Update the ossec.conf file on the Wazuh manager to enable log_all_json.
2. Reproduce the Event
Trigger the event again to capture the relevant logs.
3. Extract Relevant Logs
Run the following command on the Wazuh manager:
       cat /var/ossec/logs/archives/archives.json | grep -iE "<related string>"
Replace <related string> with a relevant value from the log to filter the specific entries.
4. Disable log_all_json
After capturing the logs, disable log_all_json in the ossec.conf file to prevent excessive storage usage.
Share the sample log that you have taken from archives.json with us.
Ref: https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving

Warning
Keeping <logall_json>yes</logall_json> on can fill up your disk fast! Once you’re done troubleshooting, set it back to no in /var/ossec/etc/ossec.conf and restart the manager:
systemctl restart wazuh-manager

Please share the sample logs if you are able to capture from the archives.json logs.

Let me know the update on this.

[Yap Toni]

Hi Hasitha, 

Thank you for replying. I'm still unable to receive log in Wazuh. 

In my agent log, there is an error:

ERROR: Could not EvtSubscribe() for (Microsoft-Windows-DNSServer/Analytical) which returned (50)

Thank you

[hasitha.u...@wazuh.com]

Hi Yap,

It would be helpful if you could share sample JSON logs from the DNS Server logs. By default, Windows event logs are stored in EVTX format, so you’ll need to convert them to JSON first. You can follow the steps below to do that.

Step 1: Export DNS Server logs (EVTX)

1. Open Event Viewer.

2. Navigate to:
   Applications and Services Logs → Microsoft → Windows → DNS-Server.

3. Select the relevant Analytical log (if available).

4. Choose a few events, right-click, and select Save Selected Events.

5. Provide a file name and choose a location to save the .evtx file.

Step 2: Convert EVTX to JSON using wazuhevtx

1. Open PowerShell as Administrator.

2. Create a working directory and navigate to it:

   mkdir wazuhevtx cd wazuhevtx

3. Create and activate a Python virtual environment:

   python -m venv .venv .\.venv\Scripts\Activate.ps1

4. Install the wazuhevtx tool:

   pip install https://github.com/zbalkan/wazuhevtx/archive/refs/heads/main.zip

5. Verify the installation:

   pip show wazuhevtx

6. Convert the EVTX file to JSON:

   wazuhevtx /path/to/evtxfile

   Example:

   wazuhevtx D:\datasets\test.evtx

Step 3: Share the logs

After conversion, please share the JSON output.
Alternatively, you can share the EVTX file, and I can review it on my side.

Step 4: Testing with wazuh-logtest (workaround)

Since we are testing JSON logs (not event_channel format), a small workaround is required.

1. Navigate to:

   /var/ossec/ruleset/rules/0575-win-base_rules.xml

2. Update rule ID 60000 as shown below:

   1.   <rule id="60000" level="0">
   2. <!--    <category>ossec</category>
   3.    <decoded_as>windows_eventchannel</decoded_as> -->
   4.     <decoded_as>json</decoded_as>
   5.     <field name="win.system.providerName">\.+</field>
   6.     <options>no_full_log</options>
   7.     <description>Group of windows rules.</description>
   8.   </rule>

3. Use the wazuh-logtest utility to test the Windows JSON logs.

4. After testing, make sure to:

   • Roll back this rule to its default configuration

   • Restart the Wazuh manager

Please let me know once you’ve completed these steps or if you face any issues.

[Yap Toni]

Hi Hasitha,

I already able to collect the log after i enable the Debug Logging and store the log at C:\Logs\dns\dns.log

this is the output when i tail -f /var/ossec/logs/archives/archives.json | grep dns

{"timestamp":"2025-12-29T07:48:50.263+0000","rule":{"level":4,"description":"Forward DNS lookup detected","id":"100511","firedtimes":730,"mail":false,"groups":["local","dns"]},"agent":{"id":"003","name":"IDTJMMM-AD05","ip":"172.18.3.33"},"manager":{"name":"idtjmmm-waz02"},"id":"1766994530.16207343","full_log":"12/29/2025 2:48:36 PM 07F0 PACKET  00000236D22219A0 UDP Rcv 172.18.3.33     2097   Q [0001   D   NOERROR] SRV    (5)_ldap(4)_tcp(36)0be0c738-69f3-4a51-af5b-caba684379d1(7)domains(6)_msdcs(5)final(5)local(0)","decoder":{},"location":"C:\\Logs\\dns\\dns.log"}

In wazuh, I receive the full log:

12/29/2025 2:48:36 PM 07F0 PACKET  00000236D22219A0 UDP Rcv 172.18.3.33     2097   Q [0001   D   NOERROR] SRV    (5)_ldap(4)_tcp(36)0be0c738-69f3-4a51-af5b-caba684379d1(7)domains(6)_msdcs(5)final(5)local(0)

I want to view in my dashboard as:
Date   Time   Protocol   Direction   SourceIP   Domain
12/29/2025    2:48:36 PM    UDP    Rcv    172.18.3.33    _ldap._tcp.0be0c738-69f3-4a51-af5b-caba684379d1.domains._msdcs.final.local

Thanks

[hasitha.u...@wazuh.com]

Hi Yap,

I have created the custom decoder as you expected. However, for Domain, we could not extract the way you mentioned; we can extract the whole domain, which is outputted in the log.

1. <decoder name="dns_log_parent">
2. <prematch>\d+/\d+/\d+\s\d+:\d+:\d+\s\S+</prematch>
3. </decoder>
4.  
5. <decoder name="dns_log_child">
6. <parent>dns_log_parent</parent>
7. <regex>(\d+/\d+/\d+)\s(\d+:\d+:\d+\s\S+)</regex>
8. <order>Date,Time </order>
9. </decoder>
10.  
11. <decoder name="dns_log_child">
12. <parent>dns_log_parent</parent>
13. <regex>\.+\S+\s(\S+)\s(\S+)\s\d+.\d+.\d+.\d+</regex>
14. <order>Protocol,Direction</order>
15. </decoder>
16.  
17. <decoder name="dns_log_child">
18. <parent>dns_log_parent</parent>
19. <regex>\.+(\d+.\d+.\d+.\d+)</regex>
20. <order>SourceIP</order>
21. </decoder>
22.  
23. <decoder name="dns_log_child">
24. <parent>dns_log_parent</parent>
25. <regex>\.+SRV\s\s\s\s(\.+)</regex>
26. <order>Domain</order>
27. </decoder>

If you need it in this format
_ldap._tcp.0be0c738-69f3-4a51-af5b-caba684379d1.domains._msdcs.final.local,
then I believe you will need to write a custom script to transform those logs into the expected format and write them into a new log file.

After that, configure monitoring on this new log file instead of the original one. The script should continuously read the source log, wait until new entries are written, and then process and write them in the required format so they can be handled correctly.

You can make further changes to your decoder following these documents.

• Decoders Syntax
• Regular Expression Syntax
• Custom decoders

I can see that your custom rule is working fine. Therefore, link your custom decoder only to the parent rule, as shown below.
For example:

1. <group name="local,dns,">
2.  
3. <rule id="100500" level="3">
4. <decoded_as>dns_log_parent</decoded_as>
5. <description>DNS log messages grouped.</description>
6. </rule>
7.  
8. ------
9.  
10. </group>

You can learn further custom rule creation by referring to these documents.

• Rule syntax
• Custom Rules
• Custom decoder and rule creation blog

Let me know if you need further assistance on this.

[Yap Toni]

Hi Hasitha,

Thank you for your reply.

I've additional data to be extracted:

for example:
12/24/2025 2:10:13 PM 07F0 PACKET  00000236D0187960 UDP Rcv 172.18.3.33     6952   Q [0001   D   NOERROR] SOA    (5)final(5)local(0)

1 Date: 12/24/2025
2 Time: 2:10:13 PM
3 ThreadID: 07F0
4 Context: PACKET
5 InternalPacketIdentifier: 00000236D0187960
6 UDP/TCPIndicator: UDP
7 Send/ReceiveIndicator: Rcv
8 RemoteIP: 172.18.3.33
9 Xid: 6952
10 Query/Response: R = Response; blank = Query
11 Opcode: Q = Standard Query, N = Notify, U = Update, ? = Unknown
12 Flags: 0001
13 Flags(CharCodes): A = Authoritative Answer, T = Truncated Response, D = Recursion Desired, R = Recursion Available

14 ResponseCode: NOERROR

15 Question Type: SOA

16 Question Name: (5)final(5)local(0)

I've stucked til Context but unable to get the InternalPacketIdentifier.

Thank you

[hasitha.u...@wazuh.com]

Hi Yap,

As you mentioned, I have recreated the decoder for this sample log with expected fields.
Remove the existing decoders for this log and add the decoders below, and restart the Wazuh manager to apply changes.
Custom decoder creation path: /var/ossec/etc/decoders/

1. <decoder name="dns_log_parent">
2. <prematch>\d+/\d+/\d+\s\d+:\d+:\d+\s\S+</prematch>
3. </decoder>
4.  
5. <decoder name="dns_log_child">
6. <parent>dns_log_parent</parent>

1. <regex>(\d+/\d+/\d+)\s(\d+:\d+:\d+\s\S+)\s(\S+)\s(\S+)\s\s(\S+)\s(\S+)\s(\S+)\s(\d+.\d+.\d+.\d+)\.+(\d+)\s\s\s(\S+)\s[(\d+)\s\s\s(\S+)\s\s\s(\S+)]\s(\S+)\s\s\s\s(\S+)</regex>
2. <order>Date,Time,ThreadID,Context,InternalPacketIdentifier,Protocol,Send_ReceiveIndicator,SourceIP,Xid,Opcode,Flags,Flags_CharCodes,ResponseCode,Question_Type,Question_Name</order>
3. </decoder>

You can make further changes to your decoder following these documents.

• Decoders Syntax
• Regular Expression Syntax
• Custom decoders
  

Let me know the update on this.

[Yap Toni]

Hi Hasitha,

Thank you for the update.

But if I have these sample logs, how to do the regex?

1/5/2026 10:33:15 AM 1350 PACKET  00000236D2977CC0 UDP Rcv 172.18.3.34     000a   Q [0001   D   NOERROR] A      (3)www(9)microsoft(3)com(5)final(5)local(0)
1/5/2026 10:32:17 AM 1350 PACKET  00000236D32F99A0 UDP Rcv 210.210.145.204 56ac R Q [0084 A     NOERROR] A      (4)a767(6)dspw65(6)akamai(3)NET(0)

Thank you

[hasitha.u...@wazuh.com]

Hi Yap,

I have modified the child decoder and updated the regex to accurately capture all log formats. I used another child decoder with the same field names to capture the values using proper regex to handle the different log types, as some logs contain multiple spaces while others do not, and one log contains a numeric value, whereas the other contains a string.

Therefore, you can add the below decoders after the previous child decoder.

1. <decoder name="dns_log_child">
2. <parent>dns_log_parent</parent>

1. <regex>(\d+/\d+/\d+)\s(\d+:\d+:\d+\s\S+)\s(\d+)\s(\S+)\s\s(\S+)\s(\S+)\s(\S+)\s(\d+.\d+.\d+.\d+)\s\s\s\s\s(\S+)\s\s\s(\S+)\s[(\d+)\s\s\s(\S+)\s\s\s(\S+)]\s(\S+)\s\s\s\s\s\s(\S+)</regex>
2. <order>Date,Time,ThreadID,Context,InternalPacketIdentifier,Protocol,Send_ReceiveIndicator,SourceIP,Xid,Opcode,Flags,Flags_CharCodes,ResponseCode,Question_Type,Question_Name</order>
3. </decoder>
4.  

1. <decoder name="dns_log_child">
2. <parent>dns_log_parent</parent>

1. <regex>(\d+/\d+/\d+)\s(\d+:\d+:\d+\s\S+)\s(\d+)\s(\S+)\s\s(\S+)\s(\S+)\s(\S+)\s(\d+.\d+.\d+.\d+)\s(\S+)\s\S+\s(\S+)\s[(\d+)\s(\S+)\s\s\s\s\s(\S+)]\s(\S+)\s\s\s\s\s\s(\S+)</regex>
2. <order>Date,Time,ThreadID,Context,InternalPacketIdentifier,Protocol,Send_ReceiveIndicator,SourceIP,Xid,Opcode,Flags,Flags_CharCodes,ResponseCode,Question_Type,Question_Name</order>
3. </decoder>

If you have another log structure, you can expand this decoder by adding another child decoder with a relevant regex for that log.

You can make further changes to your decoder following these documents.

• Decoders Syntax
• Regular Expression Syntax
• Custom decoders

Let me know the update on this.

[Yap Toni]

Hi Hasitha,

Thank you for the decoder, but sorry, it doesn't fit yet.

For example,

Input 1:

1/5/2026 10:33:15 AM 1350 PACKET  00000236D2977CC0 UDP Rcv 172.18.3.34     000a   Q [0001   D   NOERROR] A      (3)www(9)microsoft(3)com(5)final(5)local(0)

Output 1:

Date: '1/5/2026'
Time: '10:33:15 AM'
ThreadID: '1350'
Context: 'PACKET'
InternalPacketIdentifier: '00000236D2977CC0'
Protocol: 'UDP'
Send_ReceiveIndicator: 'Rcv'
SourceIP: '172.18.3.34'
Xid: '000a'
Query_Response: ' '
Opcode: 'Q'
Flags: '0001'
Flags_CharCodes: '  D  '
ResponseCode: 'NOERROR'
Question_Type: 'A     '
Question_Name: '(3)www(9)microsoft(3)com(5)final(5)local(0)'

Input 2:

1/5/2026 10:32:17 AM 1350 PACKET  00000236D32F99A0 UDP Rcv 210.210.145.204 56ac R Q [0084 A     NOERROR] A      (4)a767(6)dspw65(6)akamai(3)NET(0)

Output 2:

Date: '1/5/2026'
Time: '10:32:17 AM'
ThreadID: '1350'
Context: 'PACKET'
InternalPacketIdentifier: '00000236D32F99A0'
Protocol: 'UDP'
Send_ReceiveIndicator: 'Rcv'
SourceIP: '210.210.145.204'
Xid: '56ac'
Query_Response: 'R'
Opcode: 'Q'
Flags: '0084'
Flags_CharCodes: 'A    '
ResponseCode: 'NOERROR'
Question_Type: 'A     '
Question_Name: '(4)a767(6)dspw65(6)akamai(3)NET(0)'

[hasitha.u...@wazuh.com]

Hi Tap Toni,

I’ve improved the decoder to capture the Query_Response, whether it is present or appears as a blank space, as you suggested.

Please replace the last two decoders for the mentioned log types with the updated versions below.

1. <decoder name="dns_log_child">
2. <parent>dns_log_parent</parent>

1. <regex>(\d+/\d+/\d+)\s(\d+:\d+:\d+\s\S+)\s(\d+)\s(\S+)\s\s(\S+)\s(\S+)\s(\S+)\s(\d+.\d+.\d+.\d+)\s\s\s\s\s(\S+)\s(\.)\s(\S+)\s[(\d+)\s\s\s(\S+)\s\s\s(\S+)]\s(\S+)\s\s\s\s\s\s(\S+)</regex>
2. <order>Date,Time,ThreadID,Context,InternalPacketIdentifier,Protocol,Send_ReceiveIndicator,SourceIP,Xid,Query_Response,Opcode,Flags,Flags_CharCodes,ResponseCode,Question_Type,Question_Name</order>

1. </decoder>
2.  
3. <decoder name="dns_log_child">
4. <parent>dns_log_parent</parent>

1. <regex>(\d+/\d+/\d+)\s(\d+:\d+:\d+\s\S+)\s(\d+)\s(\S+)\s\s(\S+)\s(\S+)\s(\S+)\s(\d+.\d+.\d+.\d+)\s(\S+)\s(\.)\s(\S+)\s[(\d+)\s(\S+)\s\s\s\s\s(\S+)]\s(\S+)\s\s\s\s\s\s(\S+)</regex>
2. <order>Date,Time,ThreadID,Context,InternalPacketIdentifier,Protocol,Send_ReceiveIndicator,SourceIP,Xid,Query_Response,Opcode,Flags,Flags_CharCodes,ResponseCode,Question_Type,Question_Name</order>
3. </decoder>

You can make further changes to your decoder following these documents.

• Decoders Syntax
• Regular Expression Syntax
• Custom decoders

I believe the above shared decoders resolved your issue. If you need any more help with this, please don't hesitate to let me know. 

[Yap Toni]

Hello Hasitha,

I would like to adjust my Flags_CharCodes so it must have 4 strings (include ' '. How to do it?

This is my current decoder.

<decoder name="dns_log_parent">
<prematch>\d+/\d+/\d+\s\d+:\d+:\d+\s\S+</prematch>
</decoder>

<decoder name="dns_log_child">
<parent>dns_log_parent</parent>

<regex>(\d+/\d+/\d+)\s(\d+:\d+:\d+\s\S+)\s(\S+)\s(\S+)\s\s(\S+)\s(\S+)\s(\S+)\s(\d+.\d+.\d+.\d+)\s+(\S+)\s(\.)\s(\S+)\s[(\d+)\s+(\.)\s(\S+)]\s(\S+)\s+(\S+)</regex>
<order>Date,Time,ThreadID,Context,InternalPacketIdentifier,UDP_TCPIndicator,Send_ReceiveIndicator,RemoteIP,Xid_hex,Query_Response,Opcode,Flags_hex,Flags_CharCodes,ResponseCode,Question_Type,Question_Name</order>

</decoder>

<decoder name="dns_log_child">
<parent>dns_log_parent</parent>

<regex>(\d+/\d+/\d+)\s(\d+:\d+:\d+\s\S+)\s(\S+)\s(\S+)\s\s(\S+)\s(\S+)\s(\S+)\s(\d+.\d+.\d+.\d+)\s+(\S+)\s(\.)\s(\S+)\s[(\d+)\s+(\S+)\s+(\S+)]\s(\S+)\s+(\S+)</regex>
<order>Date,Time,ThreadID,Context,InternalPacketIdentifier,UDP_TCPIndicator,Send_ReceiveIndicator,RemoteIP,Xid_hex,Query_Response,Opcode,Flags_hex,Flags_CharCodes,ResponseCode,Question_Type,Question_Name</order>
</decoder>

<decoder name="dns_log_child">
<parent>dns_log_parent</parent>

<regex>(\d+/\d+/\d+)\s(\d+:\d+:\d+\s\S+)\s(\S+)\s(\S+)\s\s(\S+)\s(\S+)\s(\S+)\s(\d+.\d+.\d+.\d+)\s+(\S+)\s(\S+)\s(\S+)\s[(\d+)\s(\S\.\S\S)\s+(\S+)\s+(\S+)</regex>
<order>Date,Time,ThreadID,Context,InternalPacketIdentifier,UDP_TCPIndicator,Send_ReceiveIndicator,RemoteIP,Xid_hex,Query_Response,Opcode,Flags_hex,Flags_CharCodes,ResponseCode,Question_Type,Question_Name</order>
</decoder>

I have highlight my Flags_CharCodes. They able to fit my logs:

1/7/2026 11:53:12 AM 0F3C PACKET  0000023183D51EA0 UDP Snd 192.112.36.4    2e4a   Q [0000       NOERROR] A      (1)M(12)ROOT-SERVERS(3)NET(0)
1/7/2026 11:49:40 AM 07F0 PACKET  00000236D18E74F0 UDP Rcv 172.18.3.31     cde8   Q [0001   D   NOERROR] SRV    (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(12)idtjmmm-ad05(5)final(5)local(0)
12/24/2025 12:10:13 PM 07F0 PACKET  00000236D0187960 UDP Rcv 172.18.3.33     6952   Q [0001   D   NOERROR] SOA    (5)final(5)local(0)
1/7/2026 2:36:39 PM 1350 PACKET  00000236D0B77CC0 UDP Snd 172.18.3.34     0868 R Q [8085 A DR  NOERROR] A      (12)IDTJMMM-AD05(5)final(5)local(0)

But currently it only show

Flags_CharCodes = ' ', 'D', 'D', 'A DR'. How to adjust so it should be:

Flags_CharCodes = '    ', '  D ', '  D ', 'A DR'.

Thank you.

[hasitha.u...@wazuh.com]

Hi Yap,

I have simplified the decoders as shown below. I noticed that all logs up to 1/5/2026 10:33:15 AM 1350 PACKET  00000236D2977CC0 UDP Rcv 172.18.3.34 this point, and match the same regex pattern. After this point, the value structure is changing.

Therefore, I have rewritten the decoders as you suggested. With this approach, they will match all the expected values shared so far belongs to logs.

<decoder name="dns_log_parent">

<prematch>\d+/\d+/\d+\s\d+:\d+:\d+\s\S+</prematch>

</decoder>

<decoder name="dns_log_child">

<parent>dns_log_parent</parent>

<regex>(\d+/\d+/\d+)\s(\d+:\d+:\d+\s\S+)\s(\S+)\s(\S+)\s\s(\S+)\s(\S+)\s(\S+)\s(\d+.\d+.\d+.\d+)</regex>

<order>Date,Time,ThreadID,Context,InternalPacketIdentifier,Protocol,Send_ReceiveIndicator,SourceIP</order>

</decoder>

<decoder name="dns_log_child">

<parent>dns_log_parent</parent>

<regex offset="after_regex">\.+(\S+)\s(\.)\s(\.)\s</regex>

<order>Xid,Query_Response,Opcode</order>

</decoder>

<decoder name="dns_log_child">

<parent>dns_log_parent</parent>

<regex offset="after_regex">[(\d+)\s(\.+)\s\s(\.+)]\s(\.+)\s\s\s\s(\.+)</regex>

<order>Flags,Flags_CharCodes,ResponseCode,Question_Type,Question_Name</order>

</decoder>

Furthermore, I suggest you check these documents to modify or add more decoders according to your logs.

• Decoders Syntax
• Regular Expression Syntax
• Custom decoders

Let me know if you need further assistance on this.