06-12-2026 12:18 AM
Hi Everyone,
I need some assistance integrating DNS Analytical Logs into XSIAM.
I have tried collecting these logs using an XDR Collector and other available methods, but so far I have not found a supported approach. This requirement is quite urgent, and I would appreciate any guidance from anyone who has successfully integrated DNS Analytical Logs into XSIAM.
Could you please share:
If anyone has already implemented this use case, your help would be greatly appreciated.
Thank you in advance!
06-12-2026 03:16 AM
Hi @M.Harne,
We are successfully collecting DNS logs using the XDR Collector, and the logs are visible in our XSIAM console.
Please configure the appropriate custom parsing rule based on your server setup:
Use the following configuration if you are using a dedicated DNS server:
# ------------- DNS -------------
filebeat.inputs:
- type: filestream
id: dns1
enabled: true
paths:
- c:\Windows\System32\dns\DNS.log
parsers:
- multiline:
type: pattern
pattern: ^(?:\d{1,2}\/){2}\d{4}\s(?:\d{1,2}\:){2}\d\d\s(?:AM|PM)
negate: true
match: after
processors:
- add_fields:
fields:
vendor: microsoft
product: dns
Use the following configuration if DHCP and DNS services are running on the same server:
# ------------- DHCP & DNS -------------
filebeat.inputs:
- type: log
enabled: true
paths:
- c:\Windows\System32\dhcp\DhcpSrvLog*.log
processors:
- drop_event.when.not.regexp.message: ^[0-9]+,.*
- dissect:
tokenizer: '%{id},%{date},%{time},%{description},%{ipAddress},%{hostName},%{macAddress},%{userName},%{transactionID},%{qResult},%{probationTime},%{correlationID},%{dhcid},%{vendorClassHex},%{vendorClassASCII},%{userClassHex},%{userClassASCII},%{relayAgentInformation},%{dnsRegError}'
- drop_fields:
fields: [message]
- add_fields:
fields:
vendor: microsoft
product: dhcp
- add_locale:
- rename:
fields:
- from: event.timezone
to: dissect.timezone
ignore_missing: true
fail_on_error: false
- add_tags:
tags: [windows_dhcp]
target: xdr_log_type
- type: filestream
id: dns1
enabled: true
paths:
- c:\Windows\System32\dns\DNS.log
parsers:
- multiline:
type: pattern
pattern: ^(?:\d{1,2}\/){2}\d{4}\s(?:\d{1,2}\:){2}\d\d\s(?:AM|PM)
negate: true
match: after
processors:
- add_fields:
fields:
vendor: microsoft
product: dns
Please help out other users and “Accept as Solution” if a post helps solve your problem !
Read more about how and why to accept solutions.
Best Regards,
Vinothkumar.C
06-12-2026 04:59 AM
Hi @M.Harne
Is it working or not? If it is working, please accept the solution.
Please help other users by clicking ‘Accept as Solution’ if a post helps solve your problem.
Read more about how and why to accept solutions.
Best Regards,
Vinothkumar.C
06-12-2026 05:34 AM
Thanks for the response.
However, the approach mentioned above only allows the collection of DNS Audit and DNS Debug logs. I am specifically looking to collect logs from the Microsoft-Windows-DNSServer/Analytical channel.
The challenge is that this is an ETW (Event Tracing for Windows) Analytical channel, which is not a standard Windows Event Log channel. As a result, it is currently not supported by XSIAM, and both Winlogbeat and Filebeat are unable to read events directly from this channel.
Has anyone successfully collected Microsoft-Windows-DNSServer/Analytical logs into XSIAM or another SIEM? If so, could you please share the collection method or workaround used?
Any guidance would be greatly appreciated.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
