This feature is in private beta. Please contact business(at)nextdns.io to request access.
Query logs for a profile can be streamed to an SIEM using the syslog protocol. This feed can be configured in addition to NextDNS provided logs storage or as a remplacement. When setup as a replacement, query log events will only live in the NextDNS syslog queue for the duration of the delivery.
NextDNS syslog feed supports TCP and TLS as transport protocols. When TLS is used, the syslog server must use a public TLS certificate (like one provided by LetsEncrypt).
The delivery of the query log events will be retried in case of error until they are delivered successfully. If the syslog endpoint is not reachable for more than 1 hour, events are dropped (end thus lost) until the endpoint comes back online.
Events order is not guaranteed. Syslog timestamps represent the time of delivery, not the time of the event. The timestamp of the event is in the
timestamp field in the payload.
Log event payload is a JSON object with the following fields:
|timestamp||Time of the query.|
|profile||The profile id targetted by the query.|
|type||The DNS query type.1|
|domain||The fully qualified queried domain name.1|
|root||The root domain of the queried domain (eg: the root domain of dns.nextdns.io is nextdns.io). The root domain can sometime be a more qualified domain when those domains are considered public suffixes.1|
|dnssec||Wether the response was signed using DNSSEC.|
|protocol||The name of the protocol used by the client (eg: DNS-over-HTTPS).|
|encrypted||Wether the client used an encrypted protocol.|
|clientIp||Public IP of the client performing the client.2|
|status||Status of the filtering. If empty, no blocklist, denylist or allowlist matched, otherwise it can be either blocked or allowed.|
|destinationCountry||The country of the IP(s) from the response.|
|client||The detected client (eg: nextdns-ios, dnscrypt).|
|device.id||The id associated to the device performing the query. Note that device ids are unique per configuration, the same device will have a different id from one configuration to the next. This value is only available when client identification feature is enabled in the client.|
|device.name||The device name reported by the device performing the query. This value is only available when client identification feature is enabled in the client.|
|device.model||The device model reported by the device performing the query. This value is only available when client identification feature is enabled in the client.|
|matchedDomain||The domain which matched the list when different from the queried domain. This happens when the queried domain points to a CNAME, and the CNAME is blocked, not the queried name.|
|reasons||List of reasons why the query was either blocked or allowed.|
1. this field is only available if "Log domains" is checked in the settings
2. this column is only available if "Log clients IPs" is checked in the settings