Windows DHCP Server with Filebeat

s0p4L1N · August 31, 2023, 12:45pm

Tested with Filebeats 7.17.12.0 / Windows 2022 / Graylog 5.1.4

The Content Pack should be compatible with all Graylog 5.X version.

Note this was built using filebeats as the log exporter. No inputs extractor were used, only pipeline rules.

Do not need additionnal Grok pattern, uses the default like WORD/GREEDYDATA etc…

Includes

Input (Beats/TCP/5044)
Stream (Filebeat)
Pipeline Rules w/ 4 stages (grok extractor, opcode_to_op_description, mac_prefix_extractor, mac_prefix_to_mac_vendor)
Lookup table + Data adapter + data cache
Dashboard (24h) (Windows DHCP Server)

Add it to your Graylog server in /srv or if different location, modify the content_pack.json to change location path.

Graylog 5.0
Windows DHCP server configured
A log exporter/collector such as filebeats monitoring the directory path specified: (C:\Windows\system32\dhcp)

Topic		Replies	Views
Filebeat - adding custom fields does not work for Windows DHCP Server Logs Graylog Central (peer support) filebeat-windows	10	429	September 7, 2023
Windows DNS logs, FileBeat, Beats input on Graylog 3.1.3 Graylog Central (peer support) sidecar , filebeat-windows , winlogbeat , basic-configuration	13	3466	January 6, 2020
Windows 10/11 & Windows Server Security Log Content Pack content-pack	1	2105	December 16, 2023
Filebeat & Graylog (processors & extractors) Graylog Central (peer support)	3	1356	March 18, 2019
Graylog 3.1.4 - Containerized \| Elasticsearch-oss 6.8.6 - on host \| Filebeat 6.8.5 - on host Graylog Central (peer support) sidecar , nxlog , filebeat-linux , filebeat-windows , winlogbeat , nodatanx , nosendlogfblx , clfblx	8	2403	March 13, 2020