Skip to main content
The doc linked here

  https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-windows-dns

shows Bindplane collecting DNS from the Windows Event channel  Microsoft-Windows-DNSServer/Audit.   

I enabled "Analytical and Debug Logs" and see queries and query results under Microsoft/Windows/DNS-Server/Analytical in Event Viewer.  There are no query details in the Microsoft-Windows-DNSServer/Audit channel.

Two issues:

1) the google example collects from Audit, not Analytical where the queries and result are located.

2) this powershell does not list a Channel for Microsoft-Windows-DNSServer/Analytical,

Get-WinEvent -ListLog *

and when I try to read from Microsoft-Windows-DNSServer/Analytical (guessing the name) Bindplane does not not start, the error is that it cannot find the channel.

My questions:

Should I be able to use Bindplane to read the DNS queries and query results from the Analytical channel ?

I confirmed Bindplane can read the dns debug log file and I get WINDOWS_DNS.  Is reading from the dns debug file the recommended procedure for collecting WINDOWS_DNS using Bindplane?

DNS Analytical events are classed as event trace (etw) rather than event logs (evtx). BindPlane doesn't have the ability to read event traces, and you'll need to use a script or some kind of program that can translate the Analytical events and save them to a custom event channel to then be read from.

event trace is supported by bindplane now -> https://bindplane.com/docs/resources/sources/windows-event-trace

^^ What hzmndt said, but here is the clause: 

🚧 This source is experimental and built on top of Windows ETW, which has resource limitations and was not initially designed for long-term monitoring. Please use with caution on your host systems. While the source supports reading events from ETL logs, using them for continuous event collection may result in dropped events and increased resource utilization on your hosts.

 

A great way around this is to write the dns.log to flat file and just using the BindPlane File input to read them in (with appropriate timestamp parsing). You can enable a tick box (I forget what it's called) to add the hostnames to the log, which gets around all these limitations. 🙂

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.