Windows DHCP
Content Pack
Windows DHCP Debug Content Pack
Published
22 Jul 08:32
Last Push
22 Jul 10:00
Marketplace Rating
Discussion
2 Comments
Your Rating
Please sign in to rate this add-on.
Comments
Windows DHCP logs are CSV formatted and include the schema at the top of each file. Hence an extractor that uses a csv converter instead of many regexes will be cheaper computationally. However, Win DHCP 2012 R2 has an additional field compared to 2008 R2. Here are some examples off running Graylog inputs, I've appended DHCP_ to each one to avoid stomping on other fields:
Win 2008 R2 Fields: DHCP_ID,DHCP_Date,DHCP_Time,DHCP_Description,DHCP_IPAddress,DHCP_HostName,DHCP_MACAddress,DHCP_UserName,DHCP_ TransactionID,DHCP_ QResult,DHCP_Probationtime,DHCP_ CorrelationID,DHCP_Dhcid,DHCP_VendorClass_Hex,DHCP_VendorClass_ASCII,DHCP_UserClass_Hex,DHCP_UserClass_ASCII,DHCP_RelayAgentInformation
Win 2012 R2 Fields: DHCP_ID,DHCP_Date,DHCP_Time,DHCP_Description,DHCP_IPAddress,DHCP_HostName,DHCP_MACAddress,DHCP_UserName,DHCP_ TransactionID,DHCP_ QResult,DHCP_Probationtime,DHCP_ CorrelationID,DHCP_Dhcid,DHCP_VendorClass_Hex,DHCP_VendorClass_ASCII,DHCP_UserClass_Hex,DHCP_UserClass_ASCII,DHCP_RelayAgentInformation,DHCP_DnsRegError
Please sign in to comment.
In addition to the above a regex of "\d\d," (without the "s) will avoid logging the headers on each file. \Sysnative\ in nxlog finds the system32 directory, but the Graylog file beat works fine with ['C:\Windows\system32\dhcp\DhcpSrvLog-*.log']