Get started

Administration

Administration / Events & output formats
  1. ISC BIND querylog format
    1. Querylog enhancements
    2. Syslog envelopes
    3. Client query event
    4. Client response event
    5. Parse error event
    6. Metrics event
  2. JSON format
    1. Top-level envelope
    2. Client query event
    3. Client response event
    4. Parse error event
    5. Metrics event

ISC BIND querylog format

Querylog enhancements

DnsStream’s querylog output is based on the ISC BIND query log format, extended with a response: keyword and inline answer records for response events. Additionally metrics: for periodic metrics events, and error: to report errors such as parse errors when processing events from the Windows DNS server, are also emitted.

Channel Event types
queries Both query and response events
error Parse error events
metrics Periodic metrics events

Querylog events are delivered as the syslog message body in both BSD syslog and RFC 5424 delivery modes.

The querylog format has two variants controlled by log-querylog-format in dnsstream.conf:

  • Standard - the core BIND querylog fields only.
  • Extended - standard fields plus a size, transaction ID and domain field.

Both standard and extended formats are documented for each relevant event type.

Syslog envelopes

DnsStream delivers events wrapped in a syslog envelope when log-format querylog is set. Two envelope formats are available: BSD syslog (RFC 3164) and structured syslog (RFC 5424).

The BSD syslog (RFC 3164) envelope is the older of the two formats and is supported by virtually every syslog receiver. It has no version field, uses a locale-dependent timestamp with no year or timezone, and carries the PID in bracket notation attached to the app name.

<30>Mar 23 19:40:44 WIN-4L04FD5AKGL dnsstream[8296]: <event>
Field Example Description
priority <30> Syslog priority encoded as <facility × 8 + severity>. <30> = facility 3 (daemon) + severity 6 (informational).
timestamp Mar 23 19:40:44 Local server time in MMM DD HH:MM:SS format. No year, no timezone designator.
hostname WIN-4L04FD5AKGL Hostname of the Windows DNS server.
app-name dnsstream Always dnsstream.
procid [8296] Windows process ID of the DnsStream service, in brackets immediately after the app name, followed by a colon.
message - The <event> payload. Begins immediately after the colon and space.

The BSD syslog timestamp has no year and no timezone. On DNS servers that span multiple timezones, or where log correlation depends on sub-second precision, prefer RFC 5424.

RFC 5424 is the modern structured syslog format. It adds a version field, a timezone-aware ISO 8601 timestamp, a message ID field, and a structured data section. DnsStream sets both the message ID and structured data fields to the nil value -, carrying all event data in the message body.

<30>1 2000-01-01T19:00:00Z windows2025 dnsstream 6824 - - <event>
Field Example Description
priority <30> Syslog priority. Same encoding as BSD syslog.
version 1 RFC 5424 version. Always 1. No separator between priority and version.
timestamp 2000-01-01T19:00:00Z ISO 8601 / RFC 3339 timestamp in UTC. Year and timezone are always present. Z suffix denotes UTC.
hostname windows2025 Hostname of the Windows DNS server.
app-name dnsstream Always dnsstream.
procid 6824 Windows process ID of the DnsStream service. Space-separated, no brackets.
msgid - Nil. DnsStream does not populate the RFC 5424 message ID field.
structured-data - Nil. All event data is in the message body.
message - The <event> payload. Begins after the final - and space.

Prefer RFC 5424 (rfc5424) for all new deployments. The timezone-aware timestamp eliminates ambiguity in multi-timezone environments, and the version field makes the format reliably distinguishable from other syslog sources in mixed-origin pipelines.

The same priority value, which defaults to <30>, is used for all DnsStream events. For reference:

Facility Value Severity Value Combined priority
daemon 3 informational 6 <30>

This can changed in the dnsstream.conf configuration file.

Client query event

A client query event is generated when the Windows DNS Server receives an inbound query from a client. It captures the question the client asked before the server has produced a response.

Full message - with log-syslog-format rfc5424 and log-querylog-format standard set:

<30>1 2000-01-01T19:00:00Z windows2025 dnsstream 6824 - - queries: client 192.168.68.164#61776: query: telemity.com. IN A + (192.168.68.162)

Full message - with log-syslog-format rfc5424 and log-querylog-format extended set:

<30>1 2000-01-01T19:00:00Z windows2025 dnsstream 6824 - - queries: client 192.168.68.164#61776 %1085: query: telemity.com. [telemity.com.] IN A + (192.168.68.162 32b)

Full message - with log-syslog-format bsd and log-querylog-format standard set:

<30>Mar 23 19:40:44 WIN-4L04FD5AKGL dnsstream[8296]: queries: client 192.168.68.164#61750: query: telemity.com. IN A + (192.168.68.162)

Standard fields are always included, extended fields are only present when log-querylog-format extended is set.

Field Example Format Description
event-keyword queries: Standard Fixed keyword present on all DnsStream querylog events.
client-keyword client Standard Fixed keyword preceding the client address.
client-ip 192.168.68.164 Standard IPv4 or IPv6 address of the DNS client.
client-port #61776 Standard Source port of the query, separated from the client IP by #.
txid %1085 Extended DNS transaction ID. 16-bit value shared between the query and its response. Identifiable with its % prefix.
type-keyword query: Standard Identifies this as a client query event. Response events use response: here.
qname telemity.com. Standard Queried domain name, always with a trailing dot unless log-trailing-dot off is set.
qdomain [telemity.com.] Extended The DNS domain derived from the query name. For example, a query for www.sub.telemity.com. yields [telemity.com.]. If domain-suffix-mode off is set, this field will be empty, i.e. [].
qclass IN Standard DNS query class. IN in all normal deployments.
qtype A Standard DNS record type requested.
flags + Standard Query flags. See below.
server-ip (192.168.68.162) Standard IP address of the DNS server interface that received the query, in parentheses.
size (192.168.68.162 117b) Extended Size of the DNS response packet in bytes. Inserted into the brackets containing the server IP with a space between the two fields. Easily identifiable with its b suffix.

The flags object reflects the DNS header flags present in the query. Flags are concatenated without separators. The following flags are currently included:

Character Flag Meaning
+ RD - Recursion Desired Client requested recursive resolution, if not field will be set to -. This flag is always present.
T TCP Query arrived over TCP rather than UDP, otherwise not present.

Client response event

A client response event is generated when the DNS server sends a response. DnsStream extends the BIND querylog format with the response code and the full answer section appended after the server IP.

Full message - with log-syslog-format rfc5424 and log-querylog-format standard set:

<30>1 2000-01-01T19:00:00Z windows2025 dnsstream 6824 - - queries: client 192.168.68.164#61776: response: www.telemity.com. IN A + (192.168.68.162) NOERROR; www.telemity.com. 600 IN CNAME telemity.com.; telemity.com. 600 IN A 20.47.114.0

Full message - with log-syslog-format rfc5424 and log-querylog-format extended set:

<30>1 2000-01-01T19:00:00Z windows2025 dnsstream 6824 - - queries: client 192.168.68.164#61776 %1085: response: www.telemity.com. [telemity.com.] IN A + (192.168.68.162 89b) NOERROR; www.telemity.com. [telemity.com.] 600 IN CNAME telemity.com.; telemity.com. [telemity.com.] 600 IN A 20.47.114.0

Full message - with log-syslog-format bsd and log-querylog-format standard set:

<30>Mar 23 19:40:44 WIN-4L04FD5AKGL dnsstream[8296]: queries: client 192.168.68.164#61776: response: www.telemity.com. IN A + (192.168.68.162) NOERROR; www.telemity.com. 600 IN CNAME telemity.com.; telemity.com. 600 IN A 20.47.114.0

Standard fields are always included, extended fields are only present when log-querylog-format extended is set.

Field Example Format Description
event-keyword queries: Standard Fixed keyword. Same as client query.
client-keyword client Standard Fixed keyword. Same as client query.
client-ip 192.168.68.164 Standard IPv4 or IPv6 address of the DNS client.
client-port #61776 Standard Source port of the query.
txid %1085 Extended DNS transaction ID. 16-bit value shared between the query and its response. Identifiable with its % prefix.
type-keyword response: Standard Distinguishes this as a client response event. Query events use query: here.
qname www.telemity.com. Standard Queried domain name, always with a trailing dot unless log-trailing-dot off is set. The name from the original question - not necessarily the name in the answer records.
qdomain [telemity.com.] Extended The DNS domain derived from the query name. For example, a query for www.sub.telemity.com. yields [telemity.com.]. If domain-suffix-mode off is set, this field will be empty, i.e. [].
qclass IN Standard DNS query class.
qtype A Standard DNS record type that was requested.
flags + Standard Query flags from the original request. See below.
server-ip (192.168.68.162) Standard DNS server interface that received the query.
size (192.168.68.162 117b) Extended Size of the DNS response packet in bytes. Inserted into the brackets containing the server IP with a space between the two fields. Easily identifiable with its b suffix.
rcode NOERROR Standard DNS response code in string form.
answer-records ; <record>; <record> ... Standard Answer section records in DNS presentation format, each preceeded by ; . No trailing semicolon. FQDNs in record name and data fields always end with a trailing dot unless log-trailing-dot off is set.

The flags object reflects the DNS header flags present in the response. Flags are concatenated without separators. The following flags are currently included:

Character Flag Meaning
+ RD - Recursion Desired Client requested recursive resolution, if not field will be set to -. This flag is always present.
T TCP Query arrived over TCP rather than UDP, otherwise not present.

Each record in the answer-record field follows standard DNS presentation format: name ttl class type data. For extended querylog format, an additional domain field is present after name. All records are preceeded with ; (semicolon and space) which allows parsing using regex groupings and determining the presence of answer records easier. The example shows a two-record CNAME chain in extended format:

; www.telemity.com. [telemity.com.] 600 IN CNAME telemity.com.; telemity.com. [telemity.com.] 600 IN A 20.47.114.0
Sub-field Example Format Description
name www.telemity.com. Standard Owner name of the record, with trailing dot. Differs from qname on intermediate CNAME records.
domain [telemity.com.] Extended The DNS domain derived from the name of the record. For example, a record name www.sub.telemity.com. yields [telemity.com.]. If domain-suffix-mode off is set, this field will be empty, i.e. [].
ttl 600 Standard Time to live in seconds.
class IN Standard Record class. Always IN.
type CNAME / A Standard Record type. May differ from qtype in CNAME chains.
data telemity.com. / 20.47.114.0 Standard Record data in presentation format. Format is type-dependent.

FQDNs in name and data always end with a trailing dot unless log-trailing-dot off is set.

The data field of each DNS record is always a string in DNS presentation format, i.e. what you might find in a DNS zone file in plain text format. The format is determined by rrtype, e.g..

rrtype Format Example
A IPv4 address "20.47.114.0"
AAAA IPv6 address "2606:2800:220:1:248:1893:25c8:1946"
CNAME Domain name "telemity.com."
MX Preference and exchange name "10 mail.telemity.com."
NS Name server name "ns1.telemity.com."
PTR Domain name "telemity.com."
TXT Quoted string "\"v=spf1 include:_spf.google.com ~all\""
SOA mname rname serial refresh retry expire minimum "ns1.telemity.com. hostmaster.telemity.com. 2024031201 3600 900 604800 300"
SRV Priority weight port target "10 20 443 sip.telemity.com."
Unknown Hex-encoded data with length prefix "\# 32 0004e01a..."

Unknown record types are preserved as hex-encoded data and are never silently dropped. If DnsStream encounters an unfamiliar rrtype, the raw bytes are always available in data using the format \# <length> <hex-encoding>.

Parse error event

Generated when DnsStream receives an ETW event which contains a DNS packet it cannot parse. Captures the raw packet for downstream analysis and includes an error description.

Error events are delivered to the same forwarding target as DNS events, in the same querylog format. This is embedded in the same configured Syslog envelope, and can be parsed and routed by the same pipeline. It is distinguished from other events by the error: keyword in place of queries:.

Full message - with log-syslog-format rfc5424 set:

<28>1 2000-01-01T19:00:00Z windows2025 dnsstream 6824 - - error: client 192.168.68.164#54812: Read DNS message failed: Read uint16_t failed: Offset 8 + 2 is out of bounds for data of 9 bytes: \# 9 A51500200001000000

Full message - with log-syslog-format bsd set:

<28>Mar 23 19:40:44 WIN-4L04FD5AKGL dnsstream[8296]: error: client 192.168.68.164#54812: Read DNS message failed: Read uint16_t failed: Offset 8 + 2 is out of bounds for data of 9 bytes: \# 9 A51500200001000000
Field Example Description
event-keyword error: Fixed keyword identifying this as a parse error event. Distinct from the queries: keyword used on query and response events.
client-keyword client Fixed keyword preceding the client address.
client-ip 192.168.68.164 IPv4 or IPv6 address of the client that sent the malformed packet.
client-port #54812 Source port of the malformed packet, separated from the client IP by #.
error-description Read DNS message failed: ... Human-readable error description from the Windows DNS Server service explaining why the packet could not be parsed.
packet-data raw: Fixed keyword preceding the hex-encoded packet bytes.
packet-data \# 9 A515002000010000001b2c3d4e5f0a1b2c Hex-encoded bytes of the raw packet as received with a length prefix. Suitable for offline analysis.

Metrics event

A metrics event is emitted by DnsStream at each configured log-metrics-interval.

Metrics events are delivered to the same forwarding target as DNS events, in the same querylog format. This is embedded in the same configured Syslog envelope, and can be parsed and routed by the same pipeline. It is distinguished from other events by the metrics: keyword in place of queries:.

Full message - with log-syslog-format rfc5424 set:

<30>1 2026-03-24T10:00:00Z windows2025 dnsstream 6824 - - metrics: etwReader[numberOfBuffers=16 freeBuffers=16 eventsLost=0 buffersWritten=310875 logBuffersLost=0 realTimeBuffersLost=0] forwarder[id=0 host=host1.internal port=514 state=connected bytesSent=5629 eventsSent=42 connects=1] eventQueue[eventsProcessed=42 eventsQueued=0 eventsDropped=0]

Full message - with log-syslog-format bsd set:

<30>Mar 24 10:00:00 windows2025 dnsstream[6824]: metrics: etwReader[numberOfBuffers=16 freeBuffers=16 eventsLost=0 buffersWritten=310875 logBuffersLost=0 realTimeBuffersLost=0] forwarder[id=0 host=host1.internal port=514 state=connected bytesSent=5629 eventsSent=42 connects=1] eventQueue[eventsProcessed=42 eventsQueued=0 eventsDropped=0]

Metrics fields are documented under the Field reference section in the Metrics & health documentation.

JSON format

Top-level envelope

DnsStream’s JSON output sends newline-delimited JSON objects (NDJSON) over a persistent TCP connection. Each event is a single JSON object on a single line, terminated by \n. There is no framing, no length prefix, and no enclosing array - each line is a complete, independently parseable event.

{"timestamp":"2000-01-01T19:00:00Z","host":"windows2025",...}\n

Every DnsStream JSON event shares the same top-level structure.

{
  "timestamp": "2000-01-01T19:00:00Z",
  "host":      "windows2025",
  "schema":    1,
  "type":      "client-response",
  "data":      { ... }
}
Field Type Example Description
timestamp string "2000-01-01T19:00:00Z" ISO 8601 / RFC 3339 capture timestamp in UTC. Z suffix always present.
host string "windows2025" NetBIOS name or FQDN of the Windows DNS server, or the value of log-hostname if set.
schema integer 1 Event schema version, currently always 1.
type string "client-response" Event type discriminator. See event types below.
data object - DNS event payload. Structure varies by type.

The following event types are currently defined (schema version changes when new event types are introduced):

type value Description
"client-query" Inbound DNS query received by the server. Contains question section fields only - no response data.
"client-response" DNS response sent by the server. Contains the question section, response code, and full answer, authority, and additional sections.
"parse-error" A DNS packet the server could not parse. Contains raw packet bytes and an error description.
"metrics" Periodic operational metrics event. Emitted at each log-metrics-interval.

Client query event

Generated when the Windows DNS Server service receives an inbound DNS query from a client. Captures the client’s question before the server has produced a response. Contains question section fields only - no response data is present.

{
  "timestamp": "2000-01-01T19:00:00Z",
  "host":      "windows2025",
  "schema":    1,
  "type":      "client-query",
  "data": {
    "client":  "192.168.68.164",
    "server":  "192.168.68.162",
    "port":    61776,
    "proto":   "udp",
    "size":    32,
    "txid":    1085,
    "flags": {
      "rd": true
    },
    "qname":   "www.telemity.com.",
    "qdomain": "telemity.com.",
    "qclass":  "IN",
    "qtype":   "A"
  }
}

The following data fields are included in addition to the Top-level envelope fields:

Field Type Example Description
client string "192.168.68.164" IPv4 or IPv6 address of the DNS client that sent the query.
server string "192.168.68.162" IP address of the DNS server interface that received the query. On multi-homed servers this identifies which interface was used.
port integer 61776 Source port of the query on the client side.
proto string "udp" Transport protocol. "udp" or "tcp".
size integer 32 Size of the DNS query packet in bytes.
txid integer 1085 DNS transaction ID. 16-bit value chosen by the client and echoed in the server’s response. Use this field to correlate a client-query with its corresponding client-response.
flags object See below Flags from the DNS message header, see below.
qname string "www.telemity.com." Queried domain name. Trailing dot present unless log-trailing-dot off is set in dnsstream.conf.
qdomain string "telemity.com." Registered apex domain derived from qname. A query for www.sub.telemity.com. yields "telemity.com.". Absent if domain-suffix-mode off is set.
qclass string "IN" DNS query class. "IN" (Internet) in all normal deployments.
qtype string "A" DNS record type requested by the client. Common values: "A", "AAAA", "CNAME", "MX", "TXT", "NS", "PTR", "SOA", "SRV".

The flags object reflects the DNS header flags present in the query.

Field Type Example Description
rd boolean true Recursion Desired. Client requests that the server resolve the query recursively.

Client response event

Generated when the Windows DNS Server service sends a DNS response to a client. Extends the client query fields with the server’s answer - the response code and the full answer, authority, and additional sections.

{
  "timestamp": "2000-01-01T19:00:00Z",
  "host":      "windows2025",
  "schema":    1,
  "type":      "client-response",
  "data": {
    "client":  "192.168.68.164",
    "server":  "192.168.68.162",
    "port":    61776,
    "proto":   "udp",
    "size":    89,
    "txid":    1085,
    "flags": {
      "rd": true,
      "ra": true,
      "aa": false,
      "tc": false
    },
    "qname":   "www.telemity.com.",
    "qdomain": "telemity.com.",
    "qclass":  "IN",
    "qtype":   "A",
    "rcode":   "NOERROR",
    "answers": [
      {
        "name":    "www.telemity.com.",
        "ttl":     600,
        "rrclass": "IN",
        "rrtype":  "CNAME",
        "data":    "telemity.com."
      },
      {
        "name":    "telemity.com.",
        "ttl":     600,
        "rrclass": "IN",
        "rrtype":  "A",
        "data":    "20.47.114.0"
      }
    ],
    "authority":  [],
    "additional": []
  }
}

The following data fields are included in addition to the Top-level envelope fields:

Field Type Example Description
client string "192.168.68.164" IPv4 or IPv6 address of the DNS client.
server string "192.168.68.162" IP address of the DNS server interface that received the query.
port integer 61776 Source port of the original query on the client side.
proto string "udp" Transport protocol. "udp" or "tcp".
size integer 89 Size of the DNS response packet in bytes.
txid integer 1085 DNS transaction ID. Matches the txid on the corresponding client-query event.
flags object See below Flags from the DNS message header, see below.
qname string "www.telemity.com." The name from the original question section - not necessarily the name that appears in the answer records.
qdomain string "telemity.com." Registered apex domain derived from qname. A query for www.sub.telemity.com. yields "telemity.com.". Absent if domain-suffix-mode off is set.
qclass string "IN" DNS query class.
qtype string "A" DNS record type that was requested. The answer section may contain records of a different type - for example CNAME records before the terminal address record.
rcode string "NOERROR" DNS response code. See RCODE reference below.
answers array See below DNS answer section records. An array of DNS records as defined below.
authority array See below DNS authority section records. An array of DNS records as defined below.
additional array See below DNS additional section records. An array of DNS records as defined below.

The flags object reflects the DNS header flags present in the response.

Field Type Example Description
rd boolean true Recursion Desired. Client requests that the server resolve the query recursively.
ra boolean false Recursion Available. Always false on client query events - this flag is set by the server in its response.
aa boolean false Authoritative Answer. Always false on client query events.
tc boolean false Truncated. true if the response packet was truncated.

DNS records in answers, authority, and additional are objects which define one complete DNS record:

Field Type Description
name string Owner name of the record. Trailing dot present unless log-trailing-dot off is set. Differs from qname on intermediate CNAME records.
domain string Registered apex domain derived from name. A name of www.sub.telemity.com. yields "telemity.com.". Absent if domain-suffix-mode off is set.
ttl integer Time to live in seconds.
rrclass string Resource record class. Always "IN" in practice.
rrtype string Resource record type. Determines the format of data.
data string Record data in DNS presentation format. See record data formats below.

Trailing dots on domain names are present unless log-trailing-dot off is set in dnsstream.conf, in which case they are omitted from all FQDN values throughout the event.

The data field of each DNS record is always a string in DNS presentation format, i.e. what you might find in a DNS zone file in plain text format. The format is determined by rrtype, e.g..

rrtype Format Example
A IPv4 address "20.47.114.0"
AAAA IPv6 address "2606:2800:220:1:248:1893:25c8:1946"
CNAME Domain name "telemity.com."
MX Preference and exchange name "10 mail.telemity.com."
NS Name server name "ns1.telemity.com."
PTR Domain name "telemity.com."
TXT Quoted string "\"v=spf1 include:_spf.google.com ~all\""
SOA mname rname serial refresh retry expire minimum "ns1.telemity.com. hostmaster.telemity.com. 2024031201 3600 900 604800 300"
SRV Priority weight port target "10 20 443 sip.telemity.com."
Unknown Hex-encoded data with length prefix "\# 32 0004e01a..."

Unknown record types are preserved as hex-encoded data and are never silently dropped. If DnsStream encounters an unfamiliar rrtype, the raw bytes are always available in data using the format \# <length> <hex-encoding>.

Parse error event

Generated when DnsStream receives an ETW event which contains a DNS packet it cannot parse. Captures the raw packet for downstream analysis and includes an error description.

{
  "timestamp": "2000-01-01T19:00:00Z",
  "host":      "windows2025",
  "schema":    1,
  "type":      "parse-error",
  "data": {
    "client":  "192.168.68.164",
    "server":  "192.168.68.162",
    "port":    54812,
    "size":    9,
    "error":   "Read DNS message failed: Read uint16_t failed: Offset 8 + 2 is out of bounds for data of 9 bytes",
    "packet":  "0a1b2c3d4e5f0a1b2c"
  }
}

The following data fields are included in addition to the Top-level envelope fields:

Field Type Example Description
client string "192.168.68.164" IPv4 or IPv6 address of the client that sent the malformed packet.
server string "192.168.68.162" IP address of the DNS server interface that received the packet.
port integer 54812 Source port of the packet on the client side.
size integer 18 Size of the received packet in bytes.
error string "Read DNS message failed..." Error describing why the packet could not be parsed.
packet string "0a1b2c3d4e5f0a1b2c" Hex-encoded bytes of the raw packet as received. Suitable for offline analysis.

Metrics event

Generated at each configured log-metrics-interval. The metrics event uses the same top-level envelope as other events, travels through the same forwarding pipeline, and is distinguished from other events by "type": "metrics". This allows SIEM-side dashboards and health alerts to be driven by the same data stream as DNS telemetry, with no separate monitoring channel required.

{
  "timestamp": "2026-03-24T10:00:00Z",
  "host":      "windows2025",
  "schema":    1,
  "type":      "metrics",
  "data": {
    "etwReader": {
      "numberOfBuffers":      16,
      "freeBuffers":          16,
      "eventsLost":           0,
      "buffersWritten":       310875,
      "logBuffersLost":       0,
      "realTimeBuffersLost":  0
    },
    "forwarders": [
      {
        "id":         0,
        "host":       "host1.internal",
        "port":       514,
        "state":      "connected",
        "bytesSent":  5629,
        "eventsSent": 42,
        "connects":   1
      }
    ],
    "eventQueue": {
      "eventsProcessed": 42,
      "eventsQueued":    0,
      "eventsDropped":   0
    }
  }
}

Metrics fields, which are included in addition to the Top-level envelope fields, are documented under the Field reference section in the Metrics & health documentation.

This page