NXLog search
Let's talk Start free
Let's talk Start free

NXLogs Not Being received

View thread
Nathan Wyatt

Hello all, 

I have a bit of a problem and was hoping someone can put in their two cents. I have recently set up NXLogs to start sending DHCP logs to a second server for one of our security applications. However, there is no record of the logs being received by it (or any traffic to suggest that the logs are leaving the DHCP server). We are successfully receiving logs for the first Security Server, just not the second (most recent addition). 

I have ran a Netstat -a command from the DHCP server and it shows there is an active connection going to the correct IP range and port. We have looked at the firewall and found that there are no packets being dropped by it either, and also no records that traffic is going from our DHCP server to our second Security Server. 

So all in all, I'm at a bit of a loss for how to troubleshoot this and was wondering if anyone had any ideas? 

PSB for a copy of our .conf file, just in case anyone spots a glaring error (I have redacted IP ranges, ports, etc…) 

Panic Soft#NoFreeOnExit TRUE

define ROOT     C:\Program Files\nxlogdefine WINDHCP_OUTPUT_DESTINATION_ADDRESS x.x.x.xdefine WINDHCP_OUTPUT_DESTINATION_ADDRESS2 x.x.x.xdefine WINDHCP_OUTPUT_DESTINATION_PORT xxxxdefine WINDHCP_OUTPUT_DESTINATION_PORT2 xxx

Moduledir   %ROOT%\modulesCacheDir    %ROOT%\dataPidfile     %ROOT%\data\nxlog.pidSpoolDir    %ROOT%\dataLogFile     %ROOT%\data\nxlog.log

<Extension _json>   Module  xm_json</Extension>

<Input dhcp_server_eventlog>  Module      im_msvistalog  <QueryXML>       <QueryList>           <Query Id="0" Path="System">               <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-DHCP-Server']]]</Select>           </Query>           <Query Id="0">               <Select Path="DhcpAdminEvents">*</Select>               <Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">*</Select>               <Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select>           </Query>      </QueryList>   </QueryXML>   Exec        $EventTime = integer($EventTime) / 1000;   Exec        $EventReceivedTime = integer($EventReceivedTime) /     1000;   Exec        to_json();</Input>

<Input audit_logs_csv>   Module      im_file   File        "c:\DHCP\-*.log"   SavePos     TRUE   InputType   LineBased   Exec        $Message = $raw_event;</Input>

<Output SecurityServer1>   Module      om_udp   Host        %WINDHCP_OUTPUT_DESTINATION_ADDRESS%   Port        %WINDHCP_OUTPUT_DESTINATION_PORT%</Output>

<Output SecurityServer2>   Module      om_udp   Host        %WINDHCP_OUTPUT_DESTINATION_ADDRESS2%   Port        %WINDHCP_OUTPUT_DESTINATION_PORT2%</Output>

<Route 1r>   Path     dhcp_server_eventlog,audit_logs_csv => SecurityServer1</Route>

<Route 2>   Path     dhcp_server_eventlog,audit_logs_csv => SecurityServer2</Route>

 Thanks in advance for the help.