I am using NXlog to forward DHCP events from Windows DHCP Servers. This is working as intended, however I have the following issue:
At midnight DHCP rotates the log file used for the next day and archives off the old one. When this occurs I get the following Events logged by DHCP to the Windows Event Log:
"The DHCP service failed to initialize the audit log. The following error occurred:
Access is denied."
This is event id 1028 logged by the DHCP service. At the same time NXLog also logs an error about the file:
2022-07-26 00:00:26 ERROR apr_stat() failed on file C:\Windows\system32\dhcp\DhcpSrvLog-Tue.log; Access is denied.
2022-07-26 00:00:28 WARNING input file was deleted: C:\Windows\system32\dhcp\DhcpSrvLog-Tue.log
Both DHCP and NXLog are able to read the new files after this, as it is the log archiving operation from DHCP and NXLog's lock on the file that I suspect causes these to be logged. Our issue is that our Monitoring systems are picking on on the DHCP errors and causing alerts.
I do not want to turn of monitoring for these events for obvious reasons. Is there something I can configure / do to prevent this issue from occurring?
I have also included my .conf file snippets for the DHCP options below:
Exec if $raw_event == '' drop();
Exec $Hostname = hostname_fqdn();$SourceName = "DHCPLog";$Message = $raw_event;
Exec $SyslogFacilityValue = 21;$Severity = 'INFO';to_syslog_bsd();
Thanks in Advance.