Extracting responses from Microsoft DNS Server Analytical logs The 2019 Stack Overflow Developer Survey Results Are InThe DNS server machine currently has no DNS domain namePossible to forward logs for microsoft productsLog Location Url Responses of 301 redirects from IISDNS Configurations for Microsoft VDI on Hyper-V Server 2012How to configure Parallels Plesk 11 to use Google DNS serverIs it possible to update third party software using Microsoft Windows Server Update ServicesHow to find reason behind changed state of virtual machines?Windows DNS server randomly responds/times outnxlog get logs from applications and services logsOWA error: Exception type: Microsoft.Exchange.Data.Storage.StorageTransientException

Does adding complexity mean a more secure cipher?

Using `min_active_rowversion` for global temporary tables

Why not take a picture of a closer black hole?

How to support a colleague who finds meetings extremely tiring?

Cooking pasta in a water boiler

What is the motivation for a law requiring 2 parties to consent for recording a conversation

Mathematics of imaging the black hole

ELI5: Why do they say that Israel would have been the fourth country to land a spacecraft on the Moon and why do they call it low cost?

Did the UK government pay "millions and millions of dollars" to try to snag Julian Assange?

Are Newtonian Mechanics considered to be 'falsified'?

Why don't hard Brexiteers insist on a hard border to prevent illegal immigration after Brexit?

Did Scotland spend $250,000 for the slogan "Welcome to Scotland"?

What was the last CPU that did not have the x87 floating-point unit built in?

Am I ethically obligated to go into work on an off day if the reason is sudden?

What do I do when my TA workload is more than expected?

Loose spokes after only a few rides

Button changing its text & action. Good or terrible?

Deal with toxic manager when you can't quit

Christmas short horror story about a woman who becomes trapped in another body?

Accepted by European university, rejected by all American ones I applied to? Possible reasons?

What does 白沾 mean here?

Falsification in Math vs Science

Why can't devices on different VLANs, but on the same subnet, communicate?

Is there a way to generate a uniformly distributed point on a sphere from a fixed amount of random real numbers?



Extracting responses from Microsoft DNS Server Analytical logs



The 2019 Stack Overflow Developer Survey Results Are InThe DNS server machine currently has no DNS domain namePossible to forward logs for microsoft productsLog Location Url Responses of 301 redirects from IISDNS Configurations for Microsoft VDI on Hyper-V Server 2012How to configure Parallels Plesk 11 to use Google DNS serverIs it possible to update third party software using Microsoft Windows Server Update ServicesHow to find reason behind changed state of virtual machines?Windows DNS server randomly responds/times outnxlog get logs from applications and services logsOWA error: Exception type: Microsoft.Exchange.Data.Storage.StorageTransientException



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















Is it possible to extract the DNS responses from Microsoft DNS Server Analytical logs (Microsoft-Windows-DNS-Server/Analytical)? The logs contain a field called "PacketData" in the EventData section of the event, but so far I have unable to extract anything useful from the PacketData field.






windows logging dns-server parsing







share|improve this question






















  • Why do you want to track responses? You could just send a request to see the same answer. As of today, there is no way to extract given responses (aka "how many time google.com has been requested and by whom").

    – bjoster
    yesterday











  • @bjoster: Basically for passive DNS purposes.

    – treiman
    23 hours ago

















0















Is it possible to extract the DNS responses from Microsoft DNS Server Analytical logs (Microsoft-Windows-DNS-Server/Analytical)? The logs contain a field called "PacketData" in the EventData section of the event, but so far I have unable to extract anything useful from the PacketData field.






windows logging dns-server parsing







share|improve this question






















  • Why do you want to track responses? You could just send a request to see the same answer. As of today, there is no way to extract given responses (aka "how many time google.com has been requested and by whom").

    – bjoster
    yesterday











  • @bjoster: Basically for passive DNS purposes.

    – treiman
    23 hours ago













0












0








0








Is it possible to extract the DNS responses from Microsoft DNS Server Analytical logs (Microsoft-Windows-DNS-Server/Analytical)? The logs contain a field called "PacketData" in the EventData section of the event, but so far I have unable to extract anything useful from the PacketData field.






windows logging dns-server parsing







share|improve this question














Is it possible to extract the DNS responses from Microsoft DNS Server Analytical logs (Microsoft-Windows-DNS-Server/Analytical)? The logs contain a field called "PacketData" in the EventData section of the event, but so far I have unable to extract anything useful from the PacketData field.






windows logging dns-server parsing




windows logging dns-server parsing






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Mar 26 at 12:43









treimantreiman

23114




23114












  • Why do you want to track responses? You could just send a request to see the same answer. As of today, there is no way to extract given responses (aka "how many time google.com has been requested and by whom").

    – bjoster
    yesterday











  • @bjoster: Basically for passive DNS purposes.

    – treiman
    23 hours ago

















  • Why do you want to track responses? You could just send a request to see the same answer. As of today, there is no way to extract given responses (aka "how many time google.com has been requested and by whom").

    – bjoster
    yesterday











  • @bjoster: Basically for passive DNS purposes.

    – treiman
    23 hours ago
















Why do you want to track responses? You could just send a request to see the same answer. As of today, there is no way to extract given responses (aka "how many time google.com has been requested and by whom").

– bjoster
yesterday





Why do you want to track responses? You could just send a request to see the same answer. As of today, there is no way to extract given responses (aka "how many time google.com has been requested and by whom").

– bjoster
yesterday













@bjoster: Basically for passive DNS purposes.

– treiman
23 hours ago





@bjoster: Basically for passive DNS purposes.

– treiman
23 hours ago










1 Answer
1






active

oldest

votes


















0














There are two places to find Windows DNS server logs - first, as you mentioned is via the DNS debug log file. There is also data available via Windows ETW Providers (Microsoft-Windows-DNS-Server-Service, Microsoft-Windows-DNSServer). I've used something like Microsoft Message Analyzer to do an event trace session, also a log collector NXLog (note: am involved in that project) to collect event trace data from the ETW Provider and write these out to JSON.



I know for sure that the PacketData field is found when you do an ETW trace of the Microsoft-Windows-DNSServer ETW Provider. See below for an excerpt using NXLog im_etw module with the JSON output. 



 
"EventTime": "2017-03-10 09:51:03",
"Provider": "Microsoft-Windows-DNSServer",
"TCP": "0",
"InterfaceIP": "10.2.0.162",
"Source": "10.2.0.198",
"RD": "1",
"QNAME": "nickelfreesolutions.com.",
"QTYPE": "1",
"XID": "11675",
"Port": "22416",
"Flags": "256",
"BufferSize": "41",
"PacketData":
"0x2D9B01000001000000000000136E69636B656C66726565736F6C7574696F6E7303636F6D0000010001",
"EventReceivedTime": "2017-03-10 09:51:04",
"SourceModuleName": "etw_in",
"SourceModuleType": "im_etw"






share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "2"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f960037%2fextracting-responses-from-microsoft-dns-server-analytical-logs%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    There are two places to find Windows DNS server logs - first, as you mentioned is via the DNS debug log file. There is also data available via Windows ETW Providers (Microsoft-Windows-DNS-Server-Service, Microsoft-Windows-DNSServer). I've used something like Microsoft Message Analyzer to do an event trace session, also a log collector NXLog (note: am involved in that project) to collect event trace data from the ETW Provider and write these out to JSON.



    I know for sure that the PacketData field is found when you do an ETW trace of the Microsoft-Windows-DNSServer ETW Provider. See below for an excerpt using NXLog im_etw module with the JSON output. 



     
    "EventTime": "2017-03-10 09:51:03",
    "Provider": "Microsoft-Windows-DNSServer",
    "TCP": "0",
    "InterfaceIP": "10.2.0.162",
    "Source": "10.2.0.198",
    "RD": "1",
    "QNAME": "nickelfreesolutions.com.",
    "QTYPE": "1",
    "XID": "11675",
    "Port": "22416",
    "Flags": "256",
    "BufferSize": "41",
    "PacketData":
    "0x2D9B01000001000000000000136E69636B656C66726565736F6C7574696F6E7303636F6D0000010001",
    "EventReceivedTime": "2017-03-10 09:51:04",
    "SourceModuleName": "etw_in",
    "SourceModuleType": "im_etw"






    share|improve this answer



























      0














      There are two places to find Windows DNS server logs - first, as you mentioned is via the DNS debug log file. There is also data available via Windows ETW Providers (Microsoft-Windows-DNS-Server-Service, Microsoft-Windows-DNSServer). I've used something like Microsoft Message Analyzer to do an event trace session, also a log collector NXLog (note: am involved in that project) to collect event trace data from the ETW Provider and write these out to JSON.



      I know for sure that the PacketData field is found when you do an ETW trace of the Microsoft-Windows-DNSServer ETW Provider. See below for an excerpt using NXLog im_etw module with the JSON output. 



       
      "EventTime": "2017-03-10 09:51:03",
      "Provider": "Microsoft-Windows-DNSServer",
      "TCP": "0",
      "InterfaceIP": "10.2.0.162",
      "Source": "10.2.0.198",
      "RD": "1",
      "QNAME": "nickelfreesolutions.com.",
      "QTYPE": "1",
      "XID": "11675",
      "Port": "22416",
      "Flags": "256",
      "BufferSize": "41",
      "PacketData":
      "0x2D9B01000001000000000000136E69636B656C66726565736F6C7574696F6E7303636F6D0000010001",
      "EventReceivedTime": "2017-03-10 09:51:04",
      "SourceModuleName": "etw_in",
      "SourceModuleType": "im_etw"






      share|improve this answer

























        0












        0








        0







        There are two places to find Windows DNS server logs - first, as you mentioned is via the DNS debug log file. There is also data available via Windows ETW Providers (Microsoft-Windows-DNS-Server-Service, Microsoft-Windows-DNSServer). I've used something like Microsoft Message Analyzer to do an event trace session, also a log collector NXLog (note: am involved in that project) to collect event trace data from the ETW Provider and write these out to JSON.



        I know for sure that the PacketData field is found when you do an ETW trace of the Microsoft-Windows-DNSServer ETW Provider. See below for an excerpt using NXLog im_etw module with the JSON output. 



         
        "EventTime": "2017-03-10 09:51:03",
        "Provider": "Microsoft-Windows-DNSServer",
        "TCP": "0",
        "InterfaceIP": "10.2.0.162",
        "Source": "10.2.0.198",
        "RD": "1",
        "QNAME": "nickelfreesolutions.com.",
        "QTYPE": "1",
        "XID": "11675",
        "Port": "22416",
        "Flags": "256",
        "BufferSize": "41",
        "PacketData":
        "0x2D9B01000001000000000000136E69636B656C66726565736F6C7574696F6E7303636F6D0000010001",
        "EventReceivedTime": "2017-03-10 09:51:04",
        "SourceModuleName": "etw_in",
        "SourceModuleType": "im_etw"






        share|improve this answer













        There are two places to find Windows DNS server logs - first, as you mentioned is via the DNS debug log file. There is also data available via Windows ETW Providers (Microsoft-Windows-DNS-Server-Service, Microsoft-Windows-DNSServer). I've used something like Microsoft Message Analyzer to do an event trace session, also a log collector NXLog (note: am involved in that project) to collect event trace data from the ETW Provider and write these out to JSON.



        I know for sure that the PacketData field is found when you do an ETW trace of the Microsoft-Windows-DNSServer ETW Provider. See below for an excerpt using NXLog im_etw module with the JSON output. 



         
        "EventTime": "2017-03-10 09:51:03",
        "Provider": "Microsoft-Windows-DNSServer",
        "TCP": "0",
        "InterfaceIP": "10.2.0.162",
        "Source": "10.2.0.198",
        "RD": "1",
        "QNAME": "nickelfreesolutions.com.",
        "QTYPE": "1",
        "XID": "11675",
        "Port": "22416",
        "Flags": "256",
        "BufferSize": "41",
        "PacketData":
        "0x2D9B01000001000000000000136E69636B656C66726565736F6C7574696F6E7303636F6D0000010001",
        "EventReceivedTime": "2017-03-10 09:51:04",
        "SourceModuleName": "etw_in",
        "SourceModuleType": "im_etw"







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 15 mins ago









        NASAhorseNASAhorse

        13




        13



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f960037%2fextracting-responses-from-microsoft-dns-server-analytical-logs%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            How to make RAID controller rescan devices The 2019 Stack Overflow Developer Survey Results Are InLSI MegaRAID SAS 9261-8i: Disk isn't recognized after replacementHow to monitor the hard disk status behind Dell PERC H710 Raid Controller with CentOS 6?LSI MegaRAID - Recreate missing RAID 1 arrayext. 2-bay USB-Drive with RAID: btrfs RAID vs built-in RAIDInvalid SAS topologyDoes enabling JBOD mode on LSI based controllers affect existing logical disks/arrays?Why is there a shift between the WWN reported from the controller and the Linux system?Optimal RAID 6+0 Setup for 40+ 4TB DisksAccidental SAS cable removal

            Image
            Is "plugging out" electronic devices an American expression? Does a dangling wire really electrocute me if I'm standing in water? Adding labels to a table: columns and rows Spanish for "widget" Landlord wants to switch my lease to a "Land contract" to "get back at the city" Lethal sonic weapons On the insanity of kings as an argument against monarchy Is there a general name for the setup in which payoffs are not known exactly but players try to influence each other's perception of the payoffs? How long do I have to send my income tax payment to the IRS? Geography at the pixel level Can a zener diode with a higher power dissipation be used in place of the original one in an audio amplifier? How can I make payments on the Internet without leaving a money trail? What can other administrators access on my machine? Understanding the implication of what "well-defined" means for the operation in quotient group...
            Read more

            How can I have a shield and a way of attacking at distance at the same time? The 2019 Stack Overflow Developer Survey Results Are InDoes the Thrown property mean I can attack with my DEX?Is it possible to build a custom weapon, and if so, how will my character be able to use it?Can the Ghost Touch weapon property allow an attacker to perform incorporeal touch attacks?The DM allowed me to wield two shields, how can I get the most AC and HP, as a Bear Barbarian?Are there ways other than Kensei Weapons or Hex Warrior to use an ability other than STR for non-finesse melee weapons?Cheapest way to cast spells with sword and (heavy) shield?Is this homebrew “Throwing Weapons Master” feat balanced?Can Hexblade warlocks use a staff and shield?Are there any balance issues with allowing thrown Javelins to be drawn for free like ammunition weapons?Does an unattuned Frost Brand weapon still glow in freezing temperatures?Does a druid starting with a bow start with no arrows?Is it possible to build a custom weapon, and if so, how will my character be able to use it?

            Image
            Did the UK government pay "millions and millions of dollars" to try to snag Julian Assange? If I score a critical hit on an 18 or higher, what are my chances of getting a critical hit if I roll 3d20? Why can't devices on different VLANs, but on the same subnet, communicate? Are Newtonian Mechanics considered to be 'falsified'? The phrase "to the numbers born"? How can I add encounters in the Lost Mine of Phandelver campaign without giving PCs too much XP? Does adding complexity mean a more secure cipher? How to read αἱμύλιος or when to aspirate Using `min_active_rowversion` for global temporary tables Does Parliament need to approve the new Brexit delay to 31 October 2019? Did researcher Katie Bouman only contributed 0.26% of code that created Black Hole image? Is it ethical to upload a automatically generated paper to a non peer-reviewed site as part of a larger research? Taking the derivative of a differential equation ...
            Read more

            How many cones with angle theta can I pack into the unit sphere? The 2019 Stack Overflow Developer Survey Results Are InPacking space by cones: Translates best?Covering a unit ball with balls half the radiusOptimal pebble-packing shapeHow many unit balls can be put into a unit cube?Computing the Volume of Closed 3-Manifolds and the Geometrization ConjectureIs it true that a solid, minihedral cone in infinite dimensions cannot be regular?Is there an “accepted” jamming limit for hard spheres placed in the unit cube by random sequential adsorption?Sphere packings with antipodal (unequal) spheresThe Disco Ball ProblemDo kissing numbers with distance $d$ always grow polynomially or exponentially in dimension?

            Image
            How many cones with angle theta can I pack into the unit sphere? The 2019 Stack Overflow Developer Survey Results Are InPacking space by cones: Translates best?Covering a unit ball with balls half the radiusOptimal pebble-packing shapeHow many unit balls can be put into a unit cube?Computing the Volume of Closed 3-Manifolds and the Geometrization ConjectureIs it true that a solid, minihedral cone in infinite dimensions cannot be regular?Is there an “accepted” jamming limit for hard spheres placed in the unit cube by random sequential adsorption?Sphere packings with antipodal (unequal) spheresThe Disco Ball ProblemDo kissing numbers with distance $d$ always grow polynomially or exponentially in dimension? 3 1 $begingroup$ Given a unit sphere (radius 1), I would like to know how many cones I can pack into this unit sphere. Restrictions: The top of the cone needs to be in the center of origin. The bottom of the cone needs to form a circle on the unit sphere. I ...
            Read more