2
answers

I am using the following im_file configuration to try to collect Windows DHCP Server logs:

## Input module for Microsoft DHCP server audit logs
<Input dhcp>
    Module im_file
    File "C:\\Windows\\System32\\Dhcp\\DhcpSrvLog-*.log"
    SavePos TRUE
    PollInterval 180
    Exec to_syslog_bsd();
</Input>

I also tried this without escaping the backslashes and even with "/" characters instead. I also tried using a specific filename but nothing seems to work, since I get the "input file does not exist" error.

When I try the same config but with the location being at C:\Dhcp\DhcpSrvLog-*.log, everything works. nxlog service is being run as LocalSystem. Any hints on what I would need to do next to get the logs working from their native location?

AskedJune 25, 2015 - 1:37pm

Answers (2)

Try setting the loglevel to debug by adding the following to nxlog.conf and look into nxlog.log, it shold print some more details why the file is not picked up.

LogLevel Debug

AnsweredJune 25, 2015 - 1:44pm

Comments (5)

  • tsigidibam's picture

    Is this pasted into the input module of im_file or somewhere else in the configuration file?

    Edit: This is all additional information debug logging gives me:

    DEBUG not checking file C:\Windows\System32\dhcp\DhcpSrvLog-Mon.log until blacklisting expires

    June 25, 2015 - 2:42pm
  • adm's picture
    (NXLog)

    If the file does not exist it gets 'blacklisted' for some time in order to suppress warnings. There are other errors that can cause a file to get blacklisted. There should be more information in the log before that line.

    June 25, 2015 - 3:43pm
  • EmpiricGuy's picture

    You need to move the dhcp log out of the default system directory. 

    June 29, 2015 - 4:42pm
  • tlam.nt's picture

    Great! What exactly was the GPO changes to make it work?

    October 27, 2018 - 1:12am

I read documentation but I found nothing, could you please tell me how to unblock the log files (which were previously locked by nxlog, because they were not exist during the check), blacklisted by nxlog.

 

What does "some time in order to suppress warnings" means, and how to configure it?

What other errors can cause a file to get blacklisted?

How to prevent these files to get blacklisted from the very beginning or ignore this option in nxlog config?

Thank you in advance!

 

AnsweredApril 25, 2017 - 1:23pm

Comments (1)

  • b0ti's picture
    (NXLog)

    im_file will blacklist files that it fails to open or read from. Blacklisting starts with a 1 sec interval after which the blacklisting expires and it will try again. If it fails again, the interval gets doubled.

    It does not make sense to prevent blacklisting, your logs would be flooded with errors.

     

    April 25, 2017 - 1:39pm