Windows DHCP Server Logs


(Lorenzo A Henriquez) #1

I have nxlog configured to send logs from a DHCP server to my Graylog cluster. It works fine for system-generated events, but I want the following: Windows DHCP Server stores the log of IP leases/renews in files located at %Windir%\System32\DHCP. It makes one file per day, then re-writes each file every week.

I would like to send the contents of these files to Graylog using nxlog, if possible. It’d be perfect if nxlog could send the entries in real-time. Also, the files are in csv format. Is there a particular type of input I would need to create in Graylog in order to handle CSV format?

Thank you.


#2

you could try for example this: https://gist.github.com/Eagle6705/3d91b2270bf60b7cff12 but remove the IIS related stuff from it.

After parsing in nxlog, you can use a normal GELF input in Graylog and GELF output in nxlog


#3

Btw. there is a Windows DHCP content pack in the marketplace.

Windows DHCP CSV fields depend on the windows server version, you might need to tweak a bit. This is why I ended up not using CSV extractors (neither in nxlog or in Graylog), but instead I used split by -extractors. If you combine the content pack with material from the link I posted, you probably can get it working pretty quickly.


(Lorenzo A Henriquez) #4

Thank you. I tried this configuration, as well as the example provided in the nxlog documentation (which very similar to this one) and I don’t see any logs coming to that Graylog input. I now realize this could be more an nxlog question so I appreciate your reply.


#5

hi,

any errors in nxlogs log file?

You could first try sending the raw line without parsing (i.e. comment out the parse_csv part.), as your Windows server version might not be the same as the one used in the examples. Also, parse_json is not necessary, when sending to GELF input.


(Lorenzo A Henriquez) #6

Today I got this error:

2017-08-31 08:26:33 ERROR apr_stat failed on file C:\DHCPLogs\DhcpSrvLog-Thu.log; Access is denied.
2017-08-31 08:26:35 WARNING input file was deleted: C:\DHCPLogs\DhcpSrvLog-Thu.log

Particularly worried about the last line. Why would it delete it? Also, I configured the DHCP server to store log files in that location because the default one would definitely give a permissions error. Guess that didn’t help anyway.

UPDATE: Looks like calling to_syslog_bsd() in the output section solved my issue. Thanks for your help!


#7

I think adding a conversion to syslog format should not help with permission problems on files. The time of the file deletion also sounds weird, I would guess that the DHCP server would rotate the file about midnight.


(Lorenzo A Henriquez) #8

You’re right, it rotates them at midnight. And BTW, what converting it to syslog format solved for me was my original issue of not receiving the logs on Graylog (sorry for not being specific).

About that permissions error? Don’t really know why it happened but it was a one time thing. Fingers crossed so it doesn’t happen again lol


(system) #9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.