1

Syslog Feed

This feature is in private beta. Please contact business(at)nextdns.io to request access.

Query logs for a profile can be streamed to an SIEM using the syslog protocol. This feed can be configured in addition to NextDNS provided logs storage or as a remplacement. When setup as a replacement, query log events will only live in the NextDNS syslog queue for the duration of the delivery.

NextDNS syslog feed supports TCP and TLS as transport protocols. When TLS is used, the syslog server must use a public TLS certificate (like one provided by LetsEncrypt).

The delivery of the query log events will be retried in case of error until they are delivered successfully. If the syslog endpoint is not reachable for more than 1 hour, events are dropped (end thus lost) until the endpoint comes back online.

Events order is not guaranteed. Syslog timestamps represent the time of delivery, not the time of the event. The timestamp of the event is in the timestamp field in the payload.

Log event payload is a JSON object with the following fields:

Field Description
timestamp Time of the query.
profile The profile id targetted by the query.
type The DNS query type.1
domain The fully qualified queried domain name.1
root The root domain of the queried domain (eg: the root domain of dns.nextdns.io is nextdns.io). The root domain can sometime be a more qualified domain when those domains are considered public suffixes.1
dnssec Wether the response was signed using DNSSEC.
protocol The name of the protocol used by the client (eg: DNS-over-HTTPS).
encrypted Wether the client used an encrypted protocol.
clientIp Public IP of the client performing the client.2
status Status of the filtering. If empty, no blocklist, denylist or allowlist matched, otherwise it can be either blocked or allowed.
destinationCountry The country of the IP(s) from the response.
client The detected client (eg: nextdns-ios, dnscrypt).
device.id The id associated to the device performing the query. Note that device ids are unique per configuration, the same device will have a different id from one configuration to the next. This value is only available when client identification feature is enabled in the client.
device.name The device name reported by the device performing the query. This value is only available when client identification feature is enabled in the client.
device.model The device model reported by the device performing the query. This value is only available when client identification feature is enabled in the client.
matchedDomain The domain which matched the list when different from the queried domain. This happens when the queried domain points to a CNAME, and the CNAME is blocked, not the queried name.
reasons List of reasons why the query was either blocked or allowed.

1. this field is only available if "Log domains" is checked in the settings
2. this column is only available if "Log clients IPs" is checked in the settings

Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular