Remote collection of (restricted) file
Scenario:
I have NXLog EE installed on a host in Windows domain.
I need to read DHCP logs from the DC(s), UNC path: \\<server name>\C$\Windows\System32\dhcp\DhcpSrvLog-*.log
Since it is not possible to specify alternate credentials for accessing remote files (as it is for eventlog, i.e. im_msvistalog module), nxlog has to be started using an account with special privileges on the DC's file system - 4 options:
1. for nxlog service, use domain admin account (local admin role does not exist on DC)
- nxlog.conf - use UNC path: `\\<server name>\C$\Windows\System32\dhcp\DhcpSrvLog-*.log`
2. for nxlog service, use local admin account on the agent's host + share C:\Windows\System32\dhcp\ on the DC, enabling read only permissions for nxlog account only
- nxlog.conf - use share name: `\\<server name>\dhcp\DhcpSrvLog-*.log`
3. install nxlog agent on the DC, run nxlog as a service, use local admin account
4. smaller footprint ? -> install http://nxlog-ce.sourceforge.net/nxlog-docs/en/nxlog-reference-manual.html#nxlog_processor on the DC
None of these options are win-wins for customer production environment, as they require opening the restricted environment of the DC.
My question is: are there any nxlog configuration options, which would enable me to fetch the file remotely, similar to these for DC's Security event log?:
<Input dc1> Module im_msvistalog RemoteServer <ip> Remoteuser <user> RemotePassword <pwn> RemoteDomain <domain> Query <QueryList><Query Id="0" Path="Security"><Select Path="Security">*</Select></Query></QueryList> </Input>