Hi All,
I am using NXlog to forward DHCP events from Windows DHCP Servers. This is working as intended, however I have the following issue:
At midnight DHCP rotates the log file used for the next day and archives off the old one. When this occurs I get the following Events logged by DHCP to the Windows Event Log:
"The DHCP service failed to initialize the audit log. The following error occurred: Access is denied."
This is event id 1028 logged by the DHCP service. At the same time NXLog also logs an error about the file:
2022-07-26 00:00:26 ERROR apr_stat() failed on file C:\Windows\system32\dhcp\DhcpSrvLog-Tue.log; Access is denied.
2022-07-26 00:00:28 WARNING input file was deleted: C:\Windows\system32\dhcp\DhcpSrvLog-Tue.log
Both DHCP and NXLog are able to read the new files after this, as it is the log archiving operation from DHCP and NXLog's lock on the file that I suspect causes these to be logged. Our issue is that our Monitoring systems are picking on on the DHCP errors and causing alerts.
I do not want to turn of monitoring for these events for obvious reasons. Is there something I can configure / do to prevent this issue from occurring?
I have also included my .conf file snippets for the DHCP options below:
<Input MSDHCPLOGIN> Module im_file File 'C:\Windows\system32\dhcp\DhcpSrvLog-*.log' SavePos TRUE InputType LineBased Exec if $raw_event == '' drop(); Exec $Hostname = hostname_fqdn();$SourceName = "DHCPLog";$Message = $raw_event; </Input>
<Output MSDHCPLOGOUT1> Module om_udp Host %XDR1% Port %PORT% Exec $SyslogFacilityValue = 21;$Severity = 'INFO';to_syslog_bsd(); </Output>
Thanks in Advance.
beefy66 created
Scenario:
I have NXLog EE installed on a host in Windows domain.
I need to read DHCP logs from the DC(s), UNC path: \\<server name>\C$\Windows\System32\dhcp\DhcpSrvLog-*.log
Since it is not possible to specify alternate credentials for accessing remote files (as it is for eventlog, i.e. im_msvistalog module), nxlog has to be started using an account with special privileges on the DC's file system - 4 options:
 1. for nxlog service, use domain admin account (local admin role does not exist on DC)
     - nxlog.conf - use UNC path: `\\<server name>\C$\Windows\System32\dhcp\DhcpSrvLog-*.log`
 2. for nxlog service, use local admin account on the agent's host + share C:\Windows\System32\dhcp\ on the DC, enabling read only permissions for nxlog account only
     - nxlog.conf - use share name: `\\<server name>\dhcp\DhcpSrvLog-*.log`
 3. install nxlog agent on the DC, run nxlog as a service, use local admin account
 4. smaller footprint ? -> install http://nxlog-ce.sourceforge.net/nxlog-docs/en/nxlog-reference-manual.html#nxlog_processor on the DC
None of these options are win-wins for customer production environment, as they require opening the restricted environment of the DC.
My question is: are there any nxlog configuration options, which would enable me to fetch the file remotely, similar to these for DC's Security event log?:
<Input dc1>
    Module      im_msvistalog
    RemoteServer  <ip>
    Remoteuser <user>
    RemotePassword <pwn>
    RemoteDomain  <domain>
    Query        <QueryList><Query Id="0" Path="Security"><Select Path="Security">*</Select></Query></QueryList>
</Input>
				djontra created
Hello nxlog world,
Shamed to say, I've spent entire yesterday trying to figure out how to read Windows DHCP log files and ship the events to ElasticSearch.
Problem was with using direct path for folder C:\Windows\System32\dhcp\. Managed to get nxlog to read by sharing the folders (read-only permissions) to the user account used for nxlog service account logon.
As the events were not showing in ES, I'm stuck with trying to write the events into another file, in order to confirm that the source files are being read correctly.
OS: Win Srv 2008 R2 Ent
nxlog: v 2.9.1347
Here is the nxlog.conf:
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
# debugging only:
LogLevel DEBUG
NoCache TRUE
  <Input msdhcp>
      Module      im_file
      File        '\\DC5\dhcp\DhcpSrvLog-*.log'
      SavePos     TRUE
      InputType   LineBased
      Exec if $raw_event =~ /^#/ drop();
      Exec $message = $raw_event;
  </Input>
  <Input dns>
      Module      im_file
      File        '\\DC5\dns\dns.log'
      SavePos     TRUE
      InputType   LineBased
      Exec if $raw_event =~ /^#/ drop();
      Exec $message = $raw_event;
  </Input>
  <Output file_test>
      Module      om_file
      File        'C:\Program Files (x86)\nxlog\data\test_file_output.txt'
#      Sync    TRUE
      OutputType   LineBased
  </Output>
<Route test>
     Path  msdhcp,dns => file_test
</Route>
As a result, only DNS events are written in the output file:
21.1.2016. 11:34:00 A6A8 PACKET 0000000003B27E90 UDP Snd 192.168.105.12 3f0d R Q [8085 A DR NOERROR] A (8)PLANKING(3)lab(5)rador(0) 21.1.2016. 11:34:00 A6A8 PACKET 0000000003EDA2C0 UDP Rcv 192.168.105.12 3c32 Q [0001 D NOERROR] A (8)PLANKING(3)lab(5)rador(0) 21.1.2016. 11:34:00 A6A8 PACKET 0000000003EDA2C0 UDP Snd 192.168.105.12 3c32 R Q [8085 A DR NOERROR] A (8)PLANKING(3)lab(5)rador(0)
..but only the new ones, i.e. as the source DNS log file is being appended.
I have tried modifying the SavePos parameter to FALSE of both input modules, but to no avail - same result.
Questions:
1. What would be the correct configuration of global NoCache and module specific SavePos parameters, in order to read and output the complete source file, regardless of prior attempts?
2. What is the reason DHCP logs (using wildcard) are not being read (or at least written in the output), as opposed to the same configuration for DNS logs?
I will provide nxlog debug level log if needed. No visible errors there.
Any help greatly appreciated!
djontra created
I am using the following im_file configuration to try to collect Windows DHCP Server logs:
## Input module for Microsoft DHCP server audit logs
<Input dhcp>
    Module im_file
    File "C:\\Windows\\System32\\Dhcp\\DhcpSrvLog-*.log"
    SavePos TRUE
    PollInterval 180
    Exec to_syslog_bsd();
</Input>
I also tried this without escaping the backslashes and even with "/" characters instead. I also tried using a specific filename but nothing seems to work, since I get the "input file does not exist" error.
When I try the same config but with the location being at C:\Dhcp\DhcpSrvLog-*.log, everything works. nxlog service is being run as LocalSystem. Any hints on what I would need to do next to get the logs working from their native location?
tsigidibam created
