DNS Analytical ?

[GyciakasGh0st]

Has anyone experienced issues with Elastic Windows DNS server integration? Since 07/29, we have stopped receiving DNS Analytical logs. On that day, no changes were made to the DNS server or the SO stack. We checked on DNS server istelf logs are generating, on security onions logs I cant find any errors also. maybe somebody have any idea ?

From elastic agent logs it seems like it runing:
{"log.level":"info","@timestamp":"2025-08-12T07:36:30.797Z","message":"Input 'etw' stopped (runner)","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"etw-so-manager_logstash","type":"etw"},"log":{"source":"etw-so-manager_logstash"},"id":"etw-microsoft_dnsserver.analytical-33ef48ce-4ad5-48b8-bd81-e0e84760ec47","ecs.version":"1.6.0","log.logger":"input.etw","log.origin":{"file.line":158,"file.name":"compat/compat.go","function":"github.com/elastic/beats/v7/filebeat/input/v2/compat.(*runner).Stop"},"service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-12T07:36:30.797Z","message":"Input 'etw' starting","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"etw-so-manager_logstash","type":"etw"},"log":{"source":"etw-so-manager_logstash"},"log.origin":{"file.line":135,"file.name":"compat/compat.go","function":"github.com/elastic/beats/v7/filebeat/input/v2/compat.(*runner).Start.func1"},"service.name":"filebeat","id":"etw-microsoft_dnsserver.analytical-33ef48ce-4ad5-48b8-bd81-e0e84760ec47","ecs.version":"1.6.0","log.logger":"input.etw","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-08-12T07:36:33.398Z","message":"registering","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"etw-so-manager_logstash","type":"etw"},"log":{"source":"etw-so-manager_logstash"},"log.logger":"metric_registry","key":"etw-microsoft_dnsserver_analytical-33ef48ce-4ad5-48b8-bd81-e0e84760ec47","uuid":"5691929a-8b12-4007-a80b-a145b5f20402","ecs.version":"1.6.0","log.origin":{"file.line":63,"file.name":"inputmon/input.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/inputmon.NewInputRegistry"},"service.name":"filebeat","input_type":"etw","id":"etw-microsoft_dnsserver.analytical-33ef48ce-4ad5-48b8-bd81-e0e84760ec47","ecs.version":"1.6.0"}

ETW session also runing:
Name: Elastic-DNSServer-Analytical
Status: Running
Root Path: C:\WINDOWS\system32
Segment: Off
Schedules: On
Segment Max Size: 2048 MB

Name: Elastic-DNSServer-Analytical\Elastic-DNSServer-Analytical
Type: Trace
Output Location: C:\WINDOWS\system32\Elastic-DNSServer-Analytical.etl
Append: Off
Circular: On
Overwrite: Off
Buffer Size: 8
Buffers Lost: 0
Buffers Written: 553
Buffer Flush Timer: 0
Clock Type: Performance
File Mode: File

Provider:
Name: Microsoft-Windows-DNSServer
Provider Guid: {EB79061A-A566-4698-9119-3ED2807060E7}
Level: 255
KeywordsAll: 0x0
KeywordsAny: 0x8000000000000000 (Microsoft-Windows-DNSServer/Analytical)
Properties: 64
Filter Type: 0

[reyesj2]

Are you able to upgrade to 2.4.170 which includes updates to integration packages

[GyciakasGh0st]

Not it seems working as it is. What we did is manually stoped ETW sessions which was reading from DNS-Analytical by running logman stop " " -ets . When restarted elastic egent it recreated session ELASTIC-DNS-Analytical and it stared working again.