Suricata

Tested on Suricata version: 4.0.0-beta1 RELEASE

The following DNS answer is not logged to the eve-log file although the dns event type is enabled for queries and answers:

Frame Number = 71
IPSrc        = 192.168.61.2
PortSrc      = 53
IPDst        = 192.168.1.14
PortDst      = 61884
Protocol     = UDP
DNS Info     = Standard query response 0x57c0 A a6281279.yolox.net A 91.223.216.67 NS ns11.ayola.net NS ns10.ayola.net

Related suricata.yaml sections follows:

    HOME_NET: "[192.168.1.0/24]" 
    DNS_SERVERS: "$HOME_NET" 

  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      types:
        - alert:
            http: yes
            tls:  yes
            ssh:  no
            smtp: no
            dnp3: no
            vars: no
            tagged-packets: yes
            xff:
              enabled: no
      - dns:
            query: yes
            answer: yes
      - tls:
      - files:
            force-magic: yes
            force-hash: [sha1]
      - flow

The following eve.json line is the only reference to the UDP port 61884 and as you can see is of type "flow":

{"timestamp":"2016-05-09T15:15:58.067889+0200","flow_id":1602128252140595,"event_type":"flow","src_ip":"192.168.61.2","src_port":53,"dest_ip":"192.168.1.14","dest_port":61884,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":138,"bytes_toclient":0,"start":"2016-05-09T15:15:06.818227+0200","end":"2016-05-09T15:15:06.818227+0200","age":0,"state":"new","reason":"timeout","alerted":false}}

Find attached the original pcap