DHCP Nxlog Customisation
SecuronixS
Hey Guys, we are trying to send out our Windows DHCP logs which requires us to massage the log before we can send it out to the remote server.
Afraid I am not able to get the CSV Parser running, so far only the drop logic works, the intended output $Message does not come up in our output
` Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
Module xm_syslog
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32, UCS-2LE
Module xm_csv
Fields ID, Date, Time, Description, IPAddress, Hostname, MACAddress, \
UserName, TransactionID, QResult, ProbationTime, CorrelationID, \
DHCID, VendorClassHex, VendorClassASCII, UserClassHex, \
UserClassASCII, RelayAgentInformation, DnsRegError
Module xm_exec
Module im_file
File "C:\Windows\System32\dhcp\DhcpSrvLog-*.log"
ReadFromLast TRUE
SavePos TRUE
# Only process lines that begin with an event ID
if $raw_event =~ /^\d+,/
{
dhcp_csv_parser->parse_csv();
$QResult = integer($QResult);
if $QResult == 0 $QMessage = "NoQuarantine";
else if $QResult == 1 $QMessage = "Quarantine";
else if $QResult == 2 $QMessage = "Drop Packet";
else if $QResult == 3 $QMessage = "Probation";
else if $QResult == 6 $QMessage = "No Quarantine Information";
$EventTime = strptime($Date + ' ' + $Time, '%m/%d/%y %H:%M:%S');
$ID = integer($ID);
$ColonMAC = $MACAddress;
if $ColonMAC =~ /^([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})$/ {
$ColonMAC = $1 + ":" + $2 + ":" + $3 + ":" + $4 + ":" + $5 + ":" + $6;
}
# DHCP Event IDs
if $ID == 0 $Message = "The log was started.";
else if $ID == 1 $Message = "The log was stopped.";
else if $ID == 2 $Message = "The log was temporarily paused due to low disk space.";
else if ($ID >= 10 and $ID = 20 and $ID = 50 and $ID < 1000)
$Message = "Codes above 50 are used for Rogue Server Detection " +
"information.";
else drop();
}
Module om_udp
Host 172.16.10.42
Port 514
OutputType LineBased
Path ionnet_DHCPlogs => out_ionnet_datacollector2
`
Input
30,04/05/22,16:04:58,DNS Update Request,10.41.22.51,P21023LAB.HEALTH.LOCAL,,,0,6,,,,,,,,,0
11,04/05/22,16:04:58,Renew,10.41.22.51,P2103LAB.HEALTH.LOCAL,98EECBDE1CDE,,179078305,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0
32,04/05/22,16:04:58,DNS Update Successful,10.41.22.51,P2103LAB.HEALTH.LOCAL,,,0,6,,,,,,,,,0
Output
11,04/05/22,16:04:58,Renew,10.41.22.51,P2103LAB.HEALTH.LOCAL,98EECBDE1CDE,,179078305,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0