Windows server 2016 dhcp parse

Graylog Central (peer support)
1

hi,

i needed to deal with parse DHCP logs on Windows server 2016. i saw someione solved it with nxlog https://gist.github.com/Eagle6705/3d91b2270bf60b7cff12#file-nxlog-conf-L35
and I’d like to inform that I’m no NXLog expert, so I’m trying to change this solution and I’m stuck.

i would like to send DHCP log to graylog (GELF UDP 10.0.10.12:5441) and i needed to advise what else do i have change in this configuration https://pastebin.com/4pjFmqRG

and there is the message example:
message
thank you for answer.

2

Please post the complete example message which has been sent to Graylog using your NXLOG configuration.
There are certainly more fields than just the “message” field.

3

until now, i send message to graylog with sidecar collector and with input from DHCP content pack https://github.com/JulioQc/WinDHCP.

But the message was not parsed and seems like this

42
Snímek obrazovky 2017-10-24 v 23.07.42.png1452×934 34.4 KB

That’s why I started looking for another option to parse the message.

4

The content pack correctly adds the ID_Description field.

Other than that, you can use a split extractor to extract the fields you are interested in. The log format can be found here: [https://technet.microsoft.com/en-us/library/dd183591(v=ws.10).aspx#DHCP server log file format](https://technet.microsoft.com/en-us/library/dd183591(v=ws.10).aspx#DHCP server log file format)

the log format may differ with different server versions (later Windows servers, more fields) so the extractor in the content pack might not work for that reason.

5

thanks jtkarvo,

i split the message and works fine :slight_smile:

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.