This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

collecting WINDOWS_DNS with Bindplane

Posted on 02-21-2025 12:44 PM
mr345123
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM
The doc linked here

  https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-windows-dns

shows Bindplane collecting DNS from the Windows Event channel  Microsoft-Windows-DNSServer/Audit.   

I enabled "Analytical and Debug Logs" and see queries and query results under Microsoft/Windows/DNS-Server/Analytical in Event Viewer.  There are no query details in the Microsoft-Windows-DNSServer/Audit channel.

Two issues:

1) the google example collects from Audit, not Analytical where the queries and result are located.

2) this powershell does not list a Channel for Microsoft-Windows-DNSServer/Analytical,

Get-WinEvent -ListLog *

and when I try to read from Microsoft-Windows-DNSServer/Analytical (guessing the name) Bindplane does not not start, the error is that it cannot find the channel.

My questions:

Should I be able to use Bindplane to read the DNS queries and query results from the Analytical channel ?

I confirmed Bindplane can read the dns debug log file and I get WINDOWS_DNS.  Is reading from the dns debug file the recommended procedure for collecting WINDOWS_DNS using Bindplane?

1 4 390
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
StuartWestRC
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

DNS Analytical events are classed as event trace (etw) rather than event logs (evtx). BindPlane doesn't have the ability to read event traces, and you'll need to use a script or some kind of program that can translate the Analytical events and save them to a custom event channel to then be read from.

Posted on --/--/---- --:-- AM
hzmndt
Staff
Reply posted on --/--/---- --:-- AM

event trace is supported by bindplane now -> https://bindplane.com/docs/resources/sources/windows-event-trace

Posted on --/--/---- --:-- AM
Mustache
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

^^ What hzmndt said, but here is the clause: 

🚧 This source is experimental and built on top of Windows ETW, which has resource limitations and was not initially designed for long-term monitoring. Please use with caution on your host systems. While the source supports reading events from ETL logs, using them for continuous event collection may result in dropped events and increased resource utilization on your hosts.

 

Posted on --/--/---- --:-- AM
StuartWestRC
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

A great way around this is to write the dns.log to flat file and just using the BindPlane File input to read them in (with appropriate timestamp parsing). You can enable a tick box (I forget what it's called) to add the hostnames to the log, which gets around all these limitations. 🙂

Top Solution Authors
View all