topic Re: DNS Analytical Logs in Cortex XSIAM Discussions

DNS Analytical Logs

M.Harne — Fri, 12 Jun 2026 07:18:06 GMT

Hi Everyone,

I need some assistance integrating DNS Analytical Logs into XSIAM.

I have tried collecting these logs using an XDR Collector and other available methods, but so far I have not found a supported approach. This requirement is quite urgent, and I would appreciate any guidance from anyone who has successfully integrated DNS Analytical Logs into XSIAM.

Could you please share:

The collection method used (XDR Collector, Agent, Syslog, etc.)
Any custom parser or configuration required
Challenges encountered and how they were resolved

If anyone has already implemented this use case, your help would be greatly appreciated.

Thank you in advance!

Re: DNS Analytical Logs

Vinothkumar_SBA — Fri, 12 Jun 2026 10:16:34 GMT

Hi @M.Harne,

We are successfully collecting DNS logs using the XDR Collector, and the logs are visible in our XSIAM console.

Please configure the appropriate custom parsing rule based on your server setup:

1. Windows DNS Log Collection Policy

Use the following configuration if you are using a dedicated DNS server:

# ------------- DNS -------------
filebeat.inputs:
  - type: filestream
    id: dns1
    enabled: true
    paths:
      - c:\Windows\System32\dns\DNS.log
    parsers:
      - multiline:
          type: pattern
          pattern: ^(?:\d{1,2}\/){2}\d{4}\s(?:\d{1,2}\:){2}\d\d\s(?:AM|PM)
          negate: true
          match: after
    processors:
      - add_fields:
          fields:
            vendor: microsoft
            product: dns

2. Windows DHCP & DNS Log Collection Policy

Use the following configuration if DHCP and DNS services are running on the same server:

# ------------- DHCP & DNS -------------
filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - c:\Windows\System32\dhcp\DhcpSrvLog*.log
    processors:
      - drop_event.when.not.regexp.message: ^[0-9]+,.*
      - dissect:
          tokenizer: '%{id},%{date},%{time},%{description},%{ipAddress},%{hostName},%{macAddress},%{userName},%{transactionID},%{qResult},%{probationTime},%{correlationID},%{dhcid},%{vendorClassHex},%{vendorClassASCII},%{userClassHex},%{userClassASCII},%{relayAgentInformation},%{dnsRegError}'
      - drop_fields:
          fields: [message]
      - add_fields:
          fields:
            vendor: microsoft
            product: dhcp
      - add_locale:
      - rename:
          fields:
            - from: event.timezone
              to: dissect.timezone
          ignore_missing: true
          fail_on_error: false
      - add_tags:
          tags: [windows_dhcp]
          target: xdr_log_type

  - type: filestream
    id: dns1
    enabled: true
    paths:
      - c:\Windows\System32\dns\DNS.log
    parsers:
      - multiline:
          type: pattern
          pattern: ^(?:\d{1,2}\/){2}\d{4}\s(?:\d{1,2}\:){2}\d\d\s(?:AM|PM)
          negate: true
          match: after
    processors:
      - add_fields:
          fields:
            vendor: microsoft
            product: dns

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Best Regards,
Vinothkumar.C

Re: DNS Analytical Logs

Vinothkumar_SBA — Fri, 12 Jun 2026 11:59:12 GMT

Hi @M.Harne

Is it working or not? If it is working, please accept the solution.
Please help other users by clicking ‘Accept as Solution’ if a post helps solve your problem.

Best Regards,
Vinothkumar.C

Re: DNS Analytical Logs

M.Harne — Fri, 12 Jun 2026 12:34:58 GMT

Thanks for the response.

However, the approach mentioned above only allows the collection of DNS Audit and DNS Debug logs. I am specifically looking to collect logs from the Microsoft-Windows-DNSServer/Analytical channel.

The challenge is that this is an ETW (Event Tracing for Windows) Analytical channel, which is not a standard Windows Event Log channel. As a result, it is currently not supported by XSIAM, and both Winlogbeat and Filebeat are unable to read events directly from this channel.

Has anyone successfully collected Microsoft-Windows-DNSServer/Analytical logs into XSIAM or another SIEM? If so, could you please share the collection method or workaround used?

Any guidance would be greatly appreciated.