Windows DHCP Server with Filebeat

s0p4L1N · August 31, 2023, 12:45pm

Download from Github
View on GitHub
Open Issue

Tested with Filebeats 7.17.12.0 / Windows 2022 / Graylog 5.1.4

The Content Pack should be compatible with all Graylog 5.X version.

Note this was built using filebeats as the log exporter. No inputs extractor were used, only pipeline rules.

Do not need additionnal Grok pattern, uses the default like WORD/GREEDYDATA etc…

Includes

Input (Beats/TCP/5044)
Stream (Filebeat)
Pipeline Rules w/ 4 stages (grok extractor, opcode_to_op_description, mac_prefix_extractor, mac_prefix_to_mac_vendor)
Lookup table + Data adapter + data cache
Dashboard (24h) (Windows DHCP Server)

Not included

Add it to your Graylog server in /srv or if different location, modify the content_pack.json to change location path.

Requirements

Graylog 5.0
Windows DHCP server configured
A log exporter/collector such as filebeats monitoring the directory path specified: (C:\Windows\system32\dhcp)

jhonbanegadon · June 7, 2024, 6:43am

Hi @s0p4L1N ,

I am planning to use NXLOG instead of filebeat. So would like to know if there would be any challenge?

s0p4L1N · June 8, 2024, 7:36am

Hi there,

The only challenge would be to to understand how NXLogs works, and how to retrieve the logs and so on.

Before working with filebeat, I did use NXLogs and I still have (I think but not sure) the NXlogs template somewhere on my computer.

I will send you a pm if I find it.

jhonbanegadon · June 9, 2024, 6:50am

Thank you @s0p4L1N That would be great. Meanwhile I would like to know what kind of data output you are sending to Graylog, is it GELF?

jhonbanegadon · June 10, 2024, 7:31pm

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data

include %CONFDIR%\\*.conf
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Loglevel debug

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension gelf>
    Module xm_gelf
    ShortMessageLength -1
</Extension>

<Input dns>
    Module  im_file
    File    "C:\DNSLogs\dns.log"
    SavePos TRUE
    InputType LineBased
</Input>

<Input DHCP_IN> 
    Module  im_file
    File    "C:\\Windows\\System32\\dhcp\\DhcpSrvLog-*.log"
    SavePos TRUE
    InputType   LineBased
</Input>

<Output out> 
    Module      om_udp
    Host        blr-pasyslog01.cisco.com
    Port        5414
    OutputType  GELF
</Output>

<Output DHCP_OUT>
    Module      om_tcp
    Host        blr-pasyslog01.cisco.com
    Port        5044
    OutputType  GELF
</Output>

<Route 1>
    Path       DHCP_IN => DHCP_OUT
</Route>

<Route 2>
    Path        dns => out
</Route>

Above is my nxlog conf file, After adding to the server it shows me below error in nxlog debug and no data sent to Graylog:

2024-06-10 20:19:58 DEBUG Module DHCP_IN got EOF from C:\Windows\System32\dhcp\DhcpSrvLog-Fri.log
2024-06-10 20:19:58 DEBUG got EOF for C:\Windows\System32\dhcp\DhcpSrvLog-Fri.log
2024-06-10 20:19:58 DEBUG Module DHCP_IN got EOF from C:\Windows\System32\dhcp\DhcpSrvLog-Mon.log
2024-06-10 20:19:58 DEBUG got EOF for C:\Windows\System32\dhcp\DhcpSrvLog-Mon.log
2024-06-10 20:19:58 DEBUG Module DHCP_IN got EOF from C:\Windows\System32\dhcp\DhcpSrvLog-Sat.log
2024-06-10 20:19:58 DEBUG got EOF for C:\Windows\System32\dhcp\DhcpSrvLog-Sat.log
2024-06-10 20:19:58 DEBUG Module DHCP_IN got EOF from C:\Windows\System32\dhcp\DhcpSrvLog-Sun.log
2024-06-10 20:19:58 DEBUG got EOF for C:\Windows\System32\dhcp\DhcpSrvLog-Sun.log
2024-06-10 20:19:58 DEBUG Module DHCP_IN got EOF from C:\Windows\System32\dhcp\DhcpSrvLog-Thu.log
2024-06-10 20:19:58 DEBUG got EOF for C:\Windows\System32\dhcp\DhcpSrvLog-Thu.log
2024-06-10 20:19:58 DEBUG Module DHCP_IN got EOF from C:\Windows\System32\dhcp\DhcpSrvLog-Tue.log
2024-06-10 20:19:58 DEBUG got EOF for C:\Windows\System32\dhcp\DhcpSrvLog-Tue.log
2024-06-10 20:19:58 DEBUG Module DHCP_IN got EOF from C:\Windows\System32\dhcp\DhcpSrvLog-Wed.log
2024-06-10 20:19:58 DEBUG got EOF for C:\Windows\System32\dhcp\DhcpSrvLog-Wed.log

I am not sure what I am missing here

s0p4L1N · June 11, 2024, 8:08am

As an example, I only found this archive on my computer

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO

##### EXTENSION SECTION ########

<Extension logrotate>
    Module  xm_fileop
    <Schedule>
        When    @daily
        Exec    file_cycle('%ROOT%\data\nxlog.log', 7);
     </Schedule>
</Extension>

<Extension gelfExt>
  Module xm_gelf
  # Avoid truncation of the short_message field to 64 characters.
  ShortMessageLength 65536
</Extension>

<Extension json>
    Module    xm_json
</Extension>


<Input dns_audit>
    Module    im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-DNSServer/Audit">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    Exec      to_json();
</Input>

<Input dns_analytics>
    Module      im_file
    File        "C:\Windows\Logs\DNS\srvad1_dns.log"
    SavePos TRUE
    InputType LineBased
</Input>

<Input dhcp_server_eventlog>
    Module    im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="DhcpAdminEvents">*</Select>
                <Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">
                        *</Select>
                <Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>


<Output gelf>
	Module om_tcp
	Host graylog.lab.lan
	Port 12202
	OutputType  GELF_TCP
	<Exec>
	  # These fields are needed for Graylog
	  $gl2_source_collector = '${sidecar.nodeId}';
	  $collector_node_id = '${sidecar.nodeName}';
	</Exec>
</Output>


<Route route-1>
  Path dns_audit => gelf
  Path dns_analytics => gelf
  Path dhcp_server_eventlog => gelf
</Route>

If you need further help, open a thread here as I’m not working with NXLog agent now.

Follow this documentation about DHCP Server NXLOGS.

Saza_an · June 12, 2024, 9:29am

I am new here can anyone explain the discussion?

jhonbanegadon · June 12, 2024, 6:11pm

I have made it working with the same configuration, I needed to adjust the GROK pattern as it was not matching with my DHCP server for some reason. I am using Windows server 2019, not sure if that was the reason for messages not being match.

jhonbanegadon · June 12, 2024, 6:12pm

Hi @Saza_an what is it you are looking for ?

Saza_an · June 14, 2024, 5:36am

I want to know about the discussion, there is a terms like DHCP server and Filebeat.
I want to know about it in some brief, like these terms are new for me.
So I want to know about this.
It would be great if you give me an brief or any kind of reference.

Thanks in advancce!

jhonbanegadon · June 14, 2024, 7:26pm

In short term, DHCP servers provides IP address to your clients dynamically inside your IT lab. you can read more about this here:
[What is a DHCP Server? | Learn What They Are & How They Work | Infoblox]

[Install and Configure a DHCP Server - Windows Server | Microsoft Learn]

Now all these events gets logged inside windows server logs files inside a specific directory where your DHCP service is running.

Filebeat is a monitoring tool for your specifc directory to pick the logs as soon as it arrive and sends to graylog server.
[Filebeat: Lightweight Log Analysis & Elasticsearch | Elastic]

I hope this data helps you to get started

Saza_an · June 17, 2024, 5:27am

Yes, it’s helpful.
thanks man.

Saza_an · June 17, 2024, 5:28am

How much time it takes to get fluent on these platforms?
Is it boring?

jhonbanegadon · June 17, 2024, 7:50am

It depends whether you really need it or not. Definitely, you would require extra knowledge about DNS, AD stuff like that. You also need to have few machines which will be used as client and then send DHCP requests to it .
I am not sure what you meant by boring, but if you need it then you have to get used to it

Saza_an · June 18, 2024, 9:44am

Is DNS, AD are also part of DHCP? Or they are general terms which helps to know about the DHCP more?

My reference from boring was that, Is working on DHCP is Intresting or kinda hard from which I felt stress and anxious?
Not like you are talking about. I need it I have to become used to of it I know about it. I was just asking @jhonbanegadon.

But really appriciate the Insights you provide.
thanks

jhonbanegadon · June 18, 2024, 4:43pm

Well, if you are learning DHCP then you must know about DNS and AD as well. It is not that much hard to understand but surely will become interesting when you start learning about it. Just watch these videos, this will have everything what you need:
https://www.youtube.com/results?search_query=DNS+ad+Eli+the+comouter+guy

s0p4L1N · June 18, 2024, 5:49pm

Guys please open a new thread to talk about that.
This thread was only to share the content pack.

Topic		Replies	Views
Filebeat - adding custom fields does not work for Windows DHCP Server Logs Graylog Central (peer support) filebeat-windows	10	634	September 7, 2023
Windows 10/11 & Windows Server Security Log Content Pack content-pack	7	4493	February 10, 2025
Windows DNS for Graylog Content Pack content-pack	1	6898	January 6, 2023
Windows DNS logs, FileBeat, Beats input on Graylog 3.1.3 Graylog Central (peer support) sidecar , filebeat-windows , winlogbeat , basic-configuration	13	3848	January 6, 2020
Windows DHCP Server Logs Graylog Central (peer support) sidecar , nxlog , send-csv-logsnx	8	5294	September 14, 2017

Windows DHCP Server with Filebeat

Includes

Not included

Requirements

Related topics