I have nxlog configured to send logs from a DHCP server to my Graylog cluster. It works fine for system-generated events, but I want the following: Windows DHCP Server stores the log of IP leases/renews in files located at %Windir%\System32\DHCP. It makes one file per day, then re-writes each file every week.
I would like to send the contents of these files to Graylog using nxlog, if possible. It’d be perfect if nxlog could send the entries in real-time. Also, the files are in csv format. Is there a particular type of input I would need to create in Graylog in order to handle CSV format?
Btw. there is a Windows DHCP content pack in the marketplace.
Windows DHCP CSV fields depend on the windows server version, you might need to tweak a bit. This is why I ended up not using CSV extractors (neither in nxlog or in Graylog), but instead I used split by -extractors. If you combine the content pack with material from the link I posted, you probably can get it working pretty quickly.
Thank you. I tried this configuration, as well as the example provided in the nxlog documentation (which very similar to this one) and I don’t see any logs coming to that Graylog input. I now realize this could be more an nxlog question so I appreciate your reply.
You could first try sending the raw line without parsing (i.e. comment out the parse_csv part.), as your Windows server version might not be the same as the one used in the examples. Also, parse_json is not necessary, when sending to GELF input.
2017-08-31 08:26:33 ERROR apr_stat failed on file C:\DHCPLogs\DhcpSrvLog-Thu.log; Access is denied.
2017-08-31 08:26:35 WARNING input file was deleted: C:\DHCPLogs\DhcpSrvLog-Thu.log
Particularly worried about the last line. Why would it delete it? Also, I configured the DHCP server to store log files in that location because the default one would definitely give a permissions error. Guess that didn’t help anyway.
UPDATE: Looks like calling to_syslog_bsd() in the output section solved my issue. Thanks for your help!
I think adding a conversion to syslog format should not help with permission problems on files. The time of the file deletion also sounds weird, I would guess that the DHCP server would rotate the file about midnight.