0
responses

Hi All,

I am using NXlog to forward DHCP events from Windows DHCP Servers. This is working as intended, however I have the following issue:

At midnight DHCP rotates the log file used for the next day and archives off the old one. When this occurs I get the following Events logged by DHCP to the Windows Event Log:

"The DHCP service failed to initialize the audit log. The following error occurred:
Access is denied."

This is event id 1028 logged by the DHCP service. At the same time NXLog also logs an error about the file:

2022-07-26 00:00:26 ERROR apr_stat() failed on file C:\Windows\system32\dhcp\DhcpSrvLog-Tue.log; Access is denied.
2022-07-26 00:00:28 WARNING input file was deleted: C:\Windows\system32\dhcp\DhcpSrvLog-Tue.log

Both DHCP and NXLog are able to read the new files after this, as it is the log archiving operation from DHCP and NXLog's lock on the file that I suspect causes these to be logged. Our issue is that our Monitoring systems are picking on on the DHCP errors and causing alerts.

I do not want to turn of monitoring for these events for obvious reasons. Is there something I can configure / do to prevent this issue from occurring?

I have also included my .conf file snippets for the DHCP options below:

<Input MSDHCPLOGIN>
Module im_file
File 'C:\Windows\system32\dhcp\DhcpSrvLog-*.log'
SavePos TRUE
InputType LineBased
Exec if $raw_event == '' drop();
Exec $Hostname = hostname_fqdn();$SourceName = "DHCPLog";$Message = $raw_event;
</Input>

<Output MSDHCPLOGOUT1>
Module om_udp
Host %XDR1%
Port %PORT%
Exec $SyslogFacilityValue = 21;$Severity = 'INFO';to_syslog_bsd();
</Output>

Thanks in Advance.

AskedJuly 29, 2022 - 12:17pm

Answers (0)