/
dns.windows
Document toolboxDocument toolbox

dns.windows

Owned by Former user (Deleted)
Last updated: Jul 25, 2023
2 min read
[ 1 Tag structure ] [ 2 Configuration ] [ 3 Table structure ]

The dns.windows tag identifies log events generated by the Windows Server Domain Name System (DNS).

Tag structure

This technology uses a single tag to support all events generated by the Windows Server Domain Name System (DNS). The tag is simply dns.windows and the associated events are saved in Devo in a table of the same name.

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Windows DNS

dns.windows

dns.windows

For more information, read more about Devo tags.

Configuration

Create a simple rule on your Devo Relay that applies the dns.windows tag to all events arriving on a specified port. In the example below, we use port 13003 but you should use any port that you can dedicate to these events.

  • Source port → 13003

  • Target tag → dns.windows

  • Check the Stop processing and Sent without syslog tag checkboxes.

Table structure

These are the fields displayed in this table:

dns.windows

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

ifthenelse(isnotnull(dnsserverfilebeat), dnsserverfilebeat, vhost)

dnsserverfilebeat

vhost

 

myserverday

str

 

 

 

myservertime

str

 

 

 

myserverampm

str

 

 

 

serverdate

timestamp

parsedate(myserverdate, "MM/DD/YYYY hh:mm:ss A", "UTC")

myserverdate

 

thread_id

str

 

 

 

context

str

trim(mycontext)

mycontext

 

int_packed_id

str

trim(myintpacketid)

myintpacketid

 

protocol

str

trim(myprotocol)

myprotocol

 

send_receive

str

trim(mysendreceive)

mysendreceive

 

remote_ip

ip4

 

 

 

x_id

str

trim(myxid)

myxid

 

query_response

str

(myqueryresponse -> ' ') ? ' ' : 'R'

myqueryresponse

 

query_response_def

str

(myqueryresponse -> ' ') ? 'query' : 'response'

myqueryresponse

 

op_code

str

trim(myopcode)

myopcode

 

flags_hex

str

trim(myflagshex)

myflagshex

 

flags_char_codes

str

trim(myflagscharcodes)

myflagscharcodes

 

response_code

str

trim(myresponsecode)

myresponsecode

 

question_type

str

trim(myquestiontype)

myquestiontype

 

question_name

str

 

 

 

question_dot

str

join(question_tokens, ".")

question_tokens

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

 



Related articles

Related content