0
responses

Scenario:

I have NXLog EE installed on a host in Windows domain.

I need to read DHCP logs from the DC(s), UNC path: \\<server name>\C$\Windows\System32\dhcp\DhcpSrvLog-*.log

Since it is not possible to specify alternate credentials for accessing remote files (as it is for eventlog, i.e. im_msvistalog module), nxlog has to be started using an account with special privileges on the DC's file system - 4 options:
 1. for nxlog service, use domain admin account (local admin role does not exist on DC)
     - nxlog.conf - use UNC path: `\\<server name>\C$\Windows\System32\dhcp\DhcpSrvLog-*.log`
 2. for nxlog service, use local admin account on the agent's host + share C:\Windows\System32\dhcp\ on the DC, enabling read only permissions for nxlog account only
     - nxlog.conf - use share name: `\\<server name>\dhcp\DhcpSrvLog-*.log`
 3. install nxlog agent on the DC, run nxlog as a service, use local admin account
 4. smaller footprint ? -> install http://nxlog-ce.sourceforge.net/nxlog-docs/en/nxlog-reference-manual.html#nxlog_processor on the DC

None of these options are win-wins for customer production environment, as they require opening the restricted environment of the DC.

My question is: are there any nxlog configuration options, which would enable me to fetch the file remotely, similar to these for DC's Security event log?:

<Input dc1>
    Module      im_msvistalog
    RemoteServer  <ip>
    Remoteuser <user>
    RemotePassword <pwn>
    RemoteDomain  <domain>
    Query        <QueryList><Query Id="0" Path="Security"><Select Path="Security">*</Select></Query></QueryList>
</Input>
AskedJanuary 28, 2016 - 1:52pm

Answers (0)