NXLog and DHCP Log Files issue

Tags: dhcp

#1 beefy66

Hi All,

I am using NXlog to forward DHCP events from Windows DHCP Servers. This is working as intended, however I have the following issue:

At midnight DHCP rotates the log file used for the next day and archives off the old one. When this occurs I get the following Events logged by DHCP to the Windows Event Log:

"The DHCP service failed to initialize the audit log. The following error occurred: Access is denied."

This is event id 1028 logged by the DHCP service. At the same time NXLog also logs an error about the file:

2022-07-26 00:00:26 ERROR apr_stat() failed on file C:\Windows\system32\dhcp\DhcpSrvLog-Tue.log; Access is denied.
2022-07-26 00:00:28 WARNING input file was deleted: C:\Windows\system32\dhcp\DhcpSrvLog-Tue.log

Both DHCP and NXLog are able to read the new files after this, as it is the log archiving operation from DHCP and NXLog's lock on the file that I suspect causes these to be logged. Our issue is that our Monitoring systems are picking on on the DHCP errors and causing alerts.

I do not want to turn of monitoring for these events for obvious reasons. Is there something I can configure / do to prevent this issue from occurring?

I have also included my .conf file snippets for the DHCP options below:

<Input MSDHCPLOGIN> Module im_file File 'C:\Windows\system32\dhcp\DhcpSrvLog-*.log' SavePos TRUE InputType LineBased Exec if $raw_event == '' drop(); Exec $Hostname = hostname_fqdn();$SourceName = "DHCPLog";$Message = $raw_event; </Input>

<Output MSDHCPLOGOUT1> Module om_udp Host %XDR1% Port %PORT% Exec $SyslogFacilityValue = 21;$Severity = 'INFO';to_syslog_bsd(); </Output>

Thanks in Advance.