I’ve been looking about, but not had much luck piecing together snippets of info dotted around about this.
I’m currently (successfully) using Sidecar 0.1.0 and NXlog 2.9.1716 to pull event logs from all our DC’s.
This squirts windows and security events to Graylog (2.3.2+3df951e, codename Tegernseer)
My query is, how can I pull DHCP audit events using the same nxlog.conf?
I’ve added the content pack, but added the extractors to the existing “winlog-gelf” input.
I’d love to know if I can add the DHCP stuff into this NXlog.conf? I’ve tried to the best of my abilities but i’m still not getting any DHCP info in GL
Can you even have multiple NXlog inputs to one output, etc etc?
Good question… this was set up a while back with old documentation, and once working was never altered.
I’ve since then inherited this system and been asked to add in DHCP auditing from all DC’s that serve DHCP.
If I were to use the xm_gelf extension in place of xm_syslog, then amend the input on GL, would I then need to add any other config to this nxlog.conf?
I’ll still need a way of getting the dhcp audit files off the DC’s and into Graylog, right?
gonna look at rewriting the nxlog.conf for one of them now.
I gave your input a go, but turns out I’ve been doing a few things wrong:
I was adding it into the nxlog.conf file and wondering why it was never updating the generated nxlog.conf - Because I hadn’t created the collector configuration for a file input, doh!
created that with a tag for DHCP and applied to all DC’s that serve DHCP. Brill, I could see that the generated nxlog.conf had the file input now.
Second problem I had when I saw problems in the nxlog logs:
I had no idea sysnative was a thing… so when I’ve been copying examples, including yours, I was literally replacing sysnative with system32 (like an idiot on a 64bit system)…
after seeing that c:\windows\sytem32\dhcp\ wouldn’t open I was scratching my head for a while, A short google later: https://nxlog.co/question/1848/nxlogconf-unable-read-parse-directory-or-file-path
The answer is that the emulator redirects calls to System32 folder to the SysWOW64 folder transparently so even if the folder is hard coded to the System32 folder (like C:\Windows\System32), the emulator will make sure that the SysWOW64 folder is used instead. So same source code, that contains a path with the System32 folder included, can be compiled to both 32-bit and 64-bit program code without any changes.
Hence Sysnative
So, thanks both @jochen & @jtkarvo, it was a nudge in the right direction… my problem now is to get the DHCP dashboard working… that show’s nothing, even though i’m seeing the im_file messages coming in from DHCP servers.
Any ideas?
If not, i’ll update if/when I crack it!
Hope any of this is helps any previously lost souls such as myself
Dashboard widgets were using the wrong gl2_source_input:
Sorted. The only ones not working now seem to be widgets that rely on IP, Hostname or MAC. and yes, for some reason those values are not being extracted.
I guess I need an extractor on that input for those values, then the widgets should work?
My experience with the WinDHCP content pack was that it correctly extracted the ID and added an explanation of the event, but I had to make my own split extractors to get the fields extracted.
