Back to listing

Windows DNS

Content Pack

A Windows DNS content pack for graylog.



23 Sep 10:53

Last Push

11 May 09:36

Marketplace Rating



Your Rating

Please sign in to rate this add-on.


skear 5 months ago

I ran into an issue with the custom Elasticsearch template required for this plugin after upgrading to Elasticsearch version 5.6. After upgrading my indices would fail to rotate with the error:

WARN [Indices] Couldn't create index graylog_2664. Error: {"root_cause":[{"type":"mapper_parsing_exception","reason":"No handler for type [String] declared on field [ThreadID]"}],"type":"mapper_parsing_exception","reason":"Failed to parse mapping [message]: No handler for type [String] declared on field [ThreadID]","caused_by":{"type":"mapper_parsing_exception","reason":"No handler for type [String] declared on field [ThreadID]"}}

This happened because the type string was deprecated in ES 5.X and replaced with two types (text and keyword). According to the documentation a field previously mapped as string not_analyzed should be mapped as a keyword field with index = true.

Below is the command I issued to update the template. After doing this the indices were able to rotate and the error went away.

curl -XPUT elastic01:9200/_template/graylog -d '

cis4smack over 1 year ago

I can't seem get this to work. I followed the instructions. Not sure what to change the "String" to "text" or "keyword"? I enabled the debugging and created the txt file where it will be dumped. Am I missing something else here?

rumo20 over 1 year ago

In Version 2.3.0 it is not possible to create an custom index template for ThreadID field. All values "index":"not_analyzed",
"type":"String" can't set. Elasticsearch ignore the values in my template

rka over 2 years ago

Hello I have the old ThreadID problem with graylog version 2.1.1. I tried the old fix, and creating a new index template, but not working.
Details here:

Any ideas?

JulioQc over 2 years ago

Nvm my comment about specifying GROK field datatype to string. It doesn't work on the long run.
Custom mapping as suggested works well.

JulioQc over 2 years ago

Yes but forcing datatype with grok is simpler then making custom index mapping (imho), followed by a cycling. I would suggest updating the content pack with this minor change or at the minimum recommend implementing custom mappings to avoid the issue.

reighnman over 2 years ago

@skear cycling the deflector is only a temporary fix - you must create a dynamic template on your ES cluster that forces ThreadID to be a string field. If you cycle the deflector again and the first ThreadID entry that gets inserted begins with an INT, it will break it again until you cycle again and get an alphanumeric entry first

JulioQc over 2 years ago

Possible bug (and workaround suggested) with the GROK pattern:

JulioQc almost 3 years ago

Kudos to SandMouse for his instructions to correct the capture (way simpler then changing NXlog version). One can also modify the JSON to make the change.
Also, consider changing 'dns' in the JSON in for the proper Collector Input ID (ie 578e3f830ae2f10b113845fe) for the Dashboard to work correctly, if you are using Collectors that is.

skear almost 3 years ago

I was able to get this working with Graylog 2.0 but I ended up having to use an older version of nxlog (2.8.1248). Nxlog 2.9.1504 doesn't send the full_message field which creates a problem. I tried using shortmessagelength -1 in the of the nxlog config file but it was still truncating the message field to 64 characters.

After I started using nxlog 2.8 I was receiving messages with the full_message field but I was seeing errors about failed to parse ThreadID in the graylog log files. This issue was fixed by going to system \ indicies \ maintenance \ manually cycle deflector. After doing that the errors went away and the messages were being parsed correctly.

To clarify , since I used nxlog 2.8 I did not need to make any modifications to the content pack json file.

Now that it's finally working I'm really happy with the data this content pack is producing!

SandMouse almost 3 years ago

I used the following patch to change the fieldname in the json file:

--- content_pack.json 2016-05-11 10:49:18.000000000 +0200
+++ content_pack_chaged.json 2016-05-11 10:41:02.000000000 +0200
@@ -22,8 +22,8 @@
"converters" : [ ],
"order" : 0,
"cursor_strategy" : "COPY",
- "target_field" : "full_message",
- "source_field" : "full_message",
+ "target_field" : "message",
+ "source_field" : "message",
"condition_type" : "REGEX",
"condition_value" : " PACKET\\s+[A-Z0-9]{16}\\s+UDP|TCP\\s"
}, {

SandMouse almost 3 years ago

@eduham It seems as if I've ran into the same problem the one you are describing. The query "SourceModuleName:dns AND Context:PACKET" won't return any results while "SourceModuleName:dns" does return plenty. Were you able to solve this? Anyone else who might me able to help?

eduham about 3 years ago

ok, i´ve seen my problem is anotherone. my shown message is right but i can´t get a full_message. In the extractor testview i´ve get this message: Could not load an example of field 'full_message'.
Anyone an idea?

eduham about 3 years ago

Thx 4 this great Content Pack. Logging works on my system but the dashboard wouldn´t show something. Now i´ve read the searchquery and see that the script is searching for "SourceModuleName" and "Context". My problem is that the context field is unknown. Is there a problem with the grok_pattern? +%{NOTSPACE:Context}
Here my Pattern for "NOTSPACE"
"name" : "NOTSPACE",
"pattern" : "\\S+"

wjanowiak about 3 years ago

See comments here - was able to get it working with some massaging. Temporary fix for now.

mbuyukkarakas about 3 years ago

Sorry my friend.
I tried with my GL 1.3 but its not working. I tried Pajje99's solution but its not working either. Also Pajje99's pattern is not completely pasted. It gives warning when I try to edit the GROK pattern.

Pajje99 about 3 years ago

I got this tip from another user and it works now.

Try updating WINDNS_TIME to:


reighnman over 3 years ago

Have you tried opening an issue on github?

Kopke over 3 years ago

Pajje99: Same problem here. Using Windows 2012R2 server, latest version Graylog appliance & nxlog-ce-2.9.1504

scub4st3v3 over 3 years ago

Pajje99: Were you able to solve this? Having the same problem.

Pajje99 over 3 years ago


I can not get this contenpack to work right. It seems that the grok pattern is not working right because it will not extract right.

I get:
2015-12-02 21:32:41 15F8 PACKET 0000009946EF00A0 UDP Snd ae34 Q [0001 D NOERROR] PTR (3)142(3)146(3)248(2)17(7)in-addr(4)arpa(0)


2015-12-02 21:32:41 15F8 PACKET 0000009946EF00A0 UDP Snd 8.8.8.

and nothing is showing on the dashboard.

reighnman over 3 years ago

123dev: I have not experienced that issue using 2008 R2 DNS servers with the NXLog example in the doc so I'm not sure

123dev over 3 years ago

This is a great ContentPack, thanks for sharing.

One question, how do you mange to keep the dns.log file not disappear on you (on rotation).
The thread [] discusses the issue

I wonder if anyone has managed to figure out a way around this limitation.

reighnman over 3 years ago

Woops, I forgot about this.. I had to create a mapping template in ES to hard set the ThreadID field type as String (which I'll add to the doc) but for reference something like: (to create template called graylog that matches all indexes starting with "graylog")

curl -XPUT localhost:9200/_template/graylog -d '

Basically with ES when a new field is created it dynamically assign it's type based on the first insert, which if the first value you're inserting is all integers it assigns the field as int (which ThreadID is 90% of the time). ThreadID can also contain alphanumeric, so when an alphanumeric ThreadID comes around later it can't insert it into the field because ES is requiring an int value.


richardd84 over 3 years ago

Yep, this is what it was the field "ThreadID" was in use already as a numeric type, i ended up changing the field name within the grok pattern to %{WINDNS_THREADID:WinDNSThreadID} which resolved the issue.


lennartkoopmann over 3 years ago

The field "ThreadID" seems to be mapped as a numerical type. Do you have that field name in some other messages where it is a number and not a string? Try do a manual index cycling to reset the mapping (System -> Indices -> "Maintenance" dropdown) and try renaming the field this content pack creates if that does not work.

richardd84 over 3 years ago

Seem to have a problem with the grok pattern for the ThreadID in the DNS debug logging.

2015-10-26_20:39:33.72886 [185]: index [graylog_1], type [message], id [a93a3f83-7c21-11e5-a1dc-005056846a42], message [MapperParsingException[failed to parse [ThreadID]]; nested: NumberFormatException[For input string: "0AD4"]; ]
2015-10-26_20:39:33.72886 [186]: index [graylog_1], type [message], id [a93a3f85-7c21-11e5-a1dc-005056846a42], message [MapperParsingException[failed to parse [ThreadID]]; nested: NumberFormatException[For input string: "0AD4"]; ]
2015-10-26_20:39:33.72886 [187]: index [graylog_1], type [message], id [a93a3f87-7c21-11e5-a1dc-005056846a42], message [MapperParsingException[failed to parse [ThreadID]]; nested: NumberFormatException[For input string: "0AD4"]; ]

Any ideas?

Please sign in to comment.

Back to listing