Extracting responses from Microsoft DNS Server Analytical logs The 2019 Stack Overflow Developer Survey Results Are InThe DNS server machine currently has no DNS domain namePossible to forward logs for microsoft productsLog Location Url Responses of 301 redirects from IISDNS Configurations for Microsoft VDI on Hyper-V Server 2012How to configure Parallels Plesk 11 to use Google DNS serverIs it possible to update third party software using Microsoft Windows Server Update ServicesHow to find reason behind changed state of virtual machines?Windows DNS server randomly responds/times outnxlog get logs from applications and services logsOWA error: Exception type: Microsoft.Exchange.Data.Storage.StorageTransientException

Does adding complexity mean a more secure cipher?

Using `min_active_rowversion` for global temporary tables

Why not take a picture of a closer black hole?

How to support a colleague who finds meetings extremely tiring?

Cooking pasta in a water boiler

What is the motivation for a law requiring 2 parties to consent for recording a conversation

Mathematics of imaging the black hole

ELI5: Why do they say that Israel would have been the fourth country to land a spacecraft on the Moon and why do they call it low cost?

Did the UK government pay "millions and millions of dollars" to try to snag Julian Assange?

Are Newtonian Mechanics considered to be 'falsified'?

Why don't hard Brexiteers insist on a hard border to prevent illegal immigration after Brexit?

Did Scotland spend $250,000 for the slogan "Welcome to Scotland"?

What was the last CPU that did not have the x87 floating-point unit built in?

Am I ethically obligated to go into work on an off day if the reason is sudden?

What do I do when my TA workload is more than expected?

Loose spokes after only a few rides

Button changing its text & action. Good or terrible?

Deal with toxic manager when you can't quit

Christmas short horror story about a woman who becomes trapped in another body?

Accepted by European university, rejected by all American ones I applied to? Possible reasons?

What does 白沾 mean here?

Falsification in Math vs Science

Why can't devices on different VLANs, but on the same subnet, communicate?

Is there a way to generate a uniformly distributed point on a sphere from a fixed amount of random real numbers?



Extracting responses from Microsoft DNS Server Analytical logs



The 2019 Stack Overflow Developer Survey Results Are InThe DNS server machine currently has no DNS domain namePossible to forward logs for microsoft productsLog Location Url Responses of 301 redirects from IISDNS Configurations for Microsoft VDI on Hyper-V Server 2012How to configure Parallels Plesk 11 to use Google DNS serverIs it possible to update third party software using Microsoft Windows Server Update ServicesHow to find reason behind changed state of virtual machines?Windows DNS server randomly responds/times outnxlog get logs from applications and services logsOWA error: Exception type: Microsoft.Exchange.Data.Storage.StorageTransientException



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















Is it possible to extract the DNS responses from Microsoft DNS Server Analytical logs (Microsoft-Windows-DNS-Server/Analytical)? The logs contain a field called "PacketData" in the EventData section of the event, but so far I have unable to extract anything useful from the PacketData field.






windows logging dns-server parsing







share|improve this question






















  • Why do you want to track responses? You could just send a request to see the same answer. As of today, there is no way to extract given responses (aka "how many time google.com has been requested and by whom").

    – bjoster
    yesterday











  • @bjoster: Basically for passive DNS purposes.

    – treiman
    23 hours ago

















0















Is it possible to extract the DNS responses from Microsoft DNS Server Analytical logs (Microsoft-Windows-DNS-Server/Analytical)? The logs contain a field called "PacketData" in the EventData section of the event, but so far I have unable to extract anything useful from the PacketData field.






windows logging dns-server parsing







share|improve this question






















  • Why do you want to track responses? You could just send a request to see the same answer. As of today, there is no way to extract given responses (aka "how many time google.com has been requested and by whom").

    – bjoster
    yesterday











  • @bjoster: Basically for passive DNS purposes.

    – treiman
    23 hours ago













0












0








0








Is it possible to extract the DNS responses from Microsoft DNS Server Analytical logs (Microsoft-Windows-DNS-Server/Analytical)? The logs contain a field called "PacketData" in the EventData section of the event, but so far I have unable to extract anything useful from the PacketData field.






windows logging dns-server parsing







share|improve this question














Is it possible to extract the DNS responses from Microsoft DNS Server Analytical logs (Microsoft-Windows-DNS-Server/Analytical)? The logs contain a field called "PacketData" in the EventData section of the event, but so far I have unable to extract anything useful from the PacketData field.






windows logging dns-server parsing




windows logging dns-server parsing






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Mar 26 at 12:43









treimantreiman

23114




23114












  • Why do you want to track responses? You could just send a request to see the same answer. As of today, there is no way to extract given responses (aka "how many time google.com has been requested and by whom").

    – bjoster
    yesterday











  • @bjoster: Basically for passive DNS purposes.

    – treiman
    23 hours ago

















  • Why do you want to track responses? You could just send a request to see the same answer. As of today, there is no way to extract given responses (aka "how many time google.com has been requested and by whom").

    – bjoster
    yesterday











  • @bjoster: Basically for passive DNS purposes.

    – treiman
    23 hours ago
















Why do you want to track responses? You could just send a request to see the same answer. As of today, there is no way to extract given responses (aka "how many time google.com has been requested and by whom").

– bjoster
yesterday





Why do you want to track responses? You could just send a request to see the same answer. As of today, there is no way to extract given responses (aka "how many time google.com has been requested and by whom").

– bjoster
yesterday













@bjoster: Basically for passive DNS purposes.

– treiman
23 hours ago





@bjoster: Basically for passive DNS purposes.

– treiman
23 hours ago










1 Answer
1






active

oldest

votes


















0














There are two places to find Windows DNS server logs - first, as you mentioned is via the DNS debug log file. There is also data available via Windows ETW Providers (Microsoft-Windows-DNS-Server-Service, Microsoft-Windows-DNSServer). I've used something like Microsoft Message Analyzer to do an event trace session, also a log collector NXLog (note: am involved in that project) to collect event trace data from the ETW Provider and write these out to JSON.



I know for sure that the PacketData field is found when you do an ETW trace of the Microsoft-Windows-DNSServer ETW Provider. See below for an excerpt using NXLog im_etw module with the JSON output. 



 
"EventTime": "2017-03-10 09:51:03",
"Provider": "Microsoft-Windows-DNSServer",
"TCP": "0",
"InterfaceIP": "10.2.0.162",
"Source": "10.2.0.198",
"RD": "1",
"QNAME": "nickelfreesolutions.com.",
"QTYPE": "1",
"XID": "11675",
"Port": "22416",
"Flags": "256",
"BufferSize": "41",
"PacketData":
"0x2D9B01000001000000000000136E69636B656C66726565736F6C7574696F6E7303636F6D0000010001",
"EventReceivedTime": "2017-03-10 09:51:04",
"SourceModuleName": "etw_in",
"SourceModuleType": "im_etw"






share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "2"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f960037%2fextracting-responses-from-microsoft-dns-server-analytical-logs%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    There are two places to find Windows DNS server logs - first, as you mentioned is via the DNS debug log file. There is also data available via Windows ETW Providers (Microsoft-Windows-DNS-Server-Service, Microsoft-Windows-DNSServer). I've used something like Microsoft Message Analyzer to do an event trace session, also a log collector NXLog (note: am involved in that project) to collect event trace data from the ETW Provider and write these out to JSON.



    I know for sure that the PacketData field is found when you do an ETW trace of the Microsoft-Windows-DNSServer ETW Provider. See below for an excerpt using NXLog im_etw module with the JSON output. 



     
    "EventTime": "2017-03-10 09:51:03",
    "Provider": "Microsoft-Windows-DNSServer",
    "TCP": "0",
    "InterfaceIP": "10.2.0.162",
    "Source": "10.2.0.198",
    "RD": "1",
    "QNAME": "nickelfreesolutions.com.",
    "QTYPE": "1",
    "XID": "11675",
    "Port": "22416",
    "Flags": "256",
    "BufferSize": "41",
    "PacketData":
    "0x2D9B01000001000000000000136E69636B656C66726565736F6C7574696F6E7303636F6D0000010001",
    "EventReceivedTime": "2017-03-10 09:51:04",
    "SourceModuleName": "etw_in",
    "SourceModuleType": "im_etw"






    share|improve this answer



























      0














      There are two places to find Windows DNS server logs - first, as you mentioned is via the DNS debug log file. There is also data available via Windows ETW Providers (Microsoft-Windows-DNS-Server-Service, Microsoft-Windows-DNSServer). I've used something like Microsoft Message Analyzer to do an event trace session, also a log collector NXLog (note: am involved in that project) to collect event trace data from the ETW Provider and write these out to JSON.



      I know for sure that the PacketData field is found when you do an ETW trace of the Microsoft-Windows-DNSServer ETW Provider. See below for an excerpt using NXLog im_etw module with the JSON output. 



       
      "EventTime": "2017-03-10 09:51:03",
      "Provider": "Microsoft-Windows-DNSServer",
      "TCP": "0",
      "InterfaceIP": "10.2.0.162",
      "Source": "10.2.0.198",
      "RD": "1",
      "QNAME": "nickelfreesolutions.com.",
      "QTYPE": "1",
      "XID": "11675",
      "Port": "22416",
      "Flags": "256",
      "BufferSize": "41",
      "PacketData":
      "0x2D9B01000001000000000000136E69636B656C66726565736F6C7574696F6E7303636F6D0000010001",
      "EventReceivedTime": "2017-03-10 09:51:04",
      "SourceModuleName": "etw_in",
      "SourceModuleType": "im_etw"






      share|improve this answer

























        0












        0








        0







        There are two places to find Windows DNS server logs - first, as you mentioned is via the DNS debug log file. There is also data available via Windows ETW Providers (Microsoft-Windows-DNS-Server-Service, Microsoft-Windows-DNSServer). I've used something like Microsoft Message Analyzer to do an event trace session, also a log collector NXLog (note: am involved in that project) to collect event trace data from the ETW Provider and write these out to JSON.



        I know for sure that the PacketData field is found when you do an ETW trace of the Microsoft-Windows-DNSServer ETW Provider. See below for an excerpt using NXLog im_etw module with the JSON output. 



         
        "EventTime": "2017-03-10 09:51:03",
        "Provider": "Microsoft-Windows-DNSServer",
        "TCP": "0",
        "InterfaceIP": "10.2.0.162",
        "Source": "10.2.0.198",
        "RD": "1",
        "QNAME": "nickelfreesolutions.com.",
        "QTYPE": "1",
        "XID": "11675",
        "Port": "22416",
        "Flags": "256",
        "BufferSize": "41",
        "PacketData":
        "0x2D9B01000001000000000000136E69636B656C66726565736F6C7574696F6E7303636F6D0000010001",
        "EventReceivedTime": "2017-03-10 09:51:04",
        "SourceModuleName": "etw_in",
        "SourceModuleType": "im_etw"






        share|improve this answer













        There are two places to find Windows DNS server logs - first, as you mentioned is via the DNS debug log file. There is also data available via Windows ETW Providers (Microsoft-Windows-DNS-Server-Service, Microsoft-Windows-DNSServer). I've used something like Microsoft Message Analyzer to do an event trace session, also a log collector NXLog (note: am involved in that project) to collect event trace data from the ETW Provider and write these out to JSON.



        I know for sure that the PacketData field is found when you do an ETW trace of the Microsoft-Windows-DNSServer ETW Provider. See below for an excerpt using NXLog im_etw module with the JSON output. 



         
        "EventTime": "2017-03-10 09:51:03",
        "Provider": "Microsoft-Windows-DNSServer",
        "TCP": "0",
        "InterfaceIP": "10.2.0.162",
        "Source": "10.2.0.198",
        "RD": "1",
        "QNAME": "nickelfreesolutions.com.",
        "QTYPE": "1",
        "XID": "11675",
        "Port": "22416",
        "Flags": "256",
        "BufferSize": "41",
        "PacketData":
        "0x2D9B01000001000000000000136E69636B656C66726565736F6C7574696F6E7303636F6D0000010001",
        "EventReceivedTime": "2017-03-10 09:51:04",
        "SourceModuleName": "etw_in",
        "SourceModuleType": "im_etw"







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 15 mins ago









        NASAhorseNASAhorse

        13




        13



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f960037%2fextracting-responses-from-microsoft-dns-server-analytical-logs%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            How to make RAID controller rescan devices The 2019 Stack Overflow Developer Survey Results Are InLSI MegaRAID SAS 9261-8i: Disk isn't recognized after replacementHow to monitor the hard disk status behind Dell PERC H710 Raid Controller with CentOS 6?LSI MegaRAID - Recreate missing RAID 1 arrayext. 2-bay USB-Drive with RAID: btrfs RAID vs built-in RAIDInvalid SAS topologyDoes enabling JBOD mode on LSI based controllers affect existing logical disks/arrays?Why is there a shift between the WWN reported from the controller and the Linux system?Optimal RAID 6+0 Setup for 40+ 4TB DisksAccidental SAS cable removal

            Image
            Is "plugging out" electronic devices an American expression? Does a dangling wire really electrocute me if I'm standing in water? Adding labels to a table: columns and rows Spanish for "widget" Landlord wants to switch my lease to a "Land contract" to "get back at the city" Lethal sonic weapons On the insanity of kings as an argument against monarchy Is there a general name for the setup in which payoffs are not known exactly but players try to influence each other's perception of the payoffs? How long do I have to send my income tax payment to the IRS? Geography at the pixel level Can a zener diode with a higher power dissipation be used in place of the original one in an audio amplifier? How can I make payments on the Internet without leaving a money trail? What can other administrators access on my machine? Understanding the implication of what "well-defined" means for the operation in quotient group
            Read more

            Куамањотепек (Чилапа де Алварез) Садржај Становништво Види још Референце Спољашње везе Мени за навигацију17°19′47″N 99°1′51″W / 17.32972° СГШ; 99.03083° ЗГД / 17.32972; -99.0308317°19′47″N 99°1′51″W / 17.32972° СГШ; 99.03083° ЗГД / 17.32972; -99.030838877656„Instituto Nacional de Estadística y Geografía”„The GeoNames geographical database”Мексичка насељапроширитиуу

            Image
            Насеља у општини Чилапа де Алварез (Гереро) шп.МексикуГерероопштиниЧилапа де Алварезнадморској висини2010 (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003Eсакријu003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="sr" dir="ltr"u003Eu003Cdiv class="noticebanner"u003Eu003Cdiv class="plainlinks" style="background-image: -moz-linear-gradient(top, #fefefe, #fefefe, #f0f0f0); background-image: -o-linear-gradient(top, #fefefe, #fefefe, #f0f0f0); background-image: -webkit-linear-gradient(top, #fefefe, #fefefe, #f0f0f0); background-image: linear-gradient(to bottom, #fefefe, #fefefe, #f0f0f0);; -moz-border-radius: 10px; -webkit-border-rad
            Read more

            Can the Right Ascension and Argument of Perigee of a spacecraft's orbit keep varying by themselves with time? The 2019 Stack Overflow Developer Survey Results Are InHow is the altitude of a satellite defined, given that the Earth is not spherical?Why do satellites appear to move faster when overhead and slower closer to the horizon?For the mathematical relationship between J2 (km^5/s^2) and dimensionless J2 - which one is derived from the other?Why is Nodal precession affected by the rotational period of the planet?Why is it so difficult to predict the exact reentry location and time of a very low earth orbit object?Why are low earth orbit satellites not visible from the same place all the time?Perifocal coordinates and the orbit equationHow feasible is the Moonspike mission?What was the typical perigee after a shuttle de-orbit burn?I am having trouble calculating my classic orbital elements and am at a loss on where to lookAm I supposed to modify the gravitational constant with scale and why do fps & time scale changes cause my orbit to break?How Local time of a sun synchronous orbit is related to Right ascension of ascending node?What is wrong with my orbit sim equations? How can I fix them?How to obtain the initial positions and velocities of an inclined orbit?

            Image
            Why is this recursive code so slow? Button changing its text & action. Good or terrible? What do I do when my TA workload is more than expected? What is the most efficient way to store a numeric range? Why are there uneven bright areas in this photo of black hole? Why can't wing-mounted spoilers be used to steepen approaches? What aspect of planet earth must be changed to prevent the industrial revolution? Deal with toxic manager when you can't quit Single author papers against my advisor's will? Did any laptop computers have a built-in 5 1/4 inch floppy drive? How can I add encounters in the Lost Mine of Phandelver campaign without giving PCs too much XP? How many cones with angle theta can I pack into the unit sphere? Why did Peik say, "I'm not an animal"? How do I free up internal storage if I don't have any apps downloaded? How to read αἱμύλιος or when to aspirate Question on an engine pulling a train Why can't d
            Read more