Windows DHCP

Content Pack

Windows DHCP Debug Content Pack

JulioQc

free!

Download from Github View on Github 3 5

Published

22 Jul 08:32

Last Push

22 Jul 10:00

Marketplace Rating

Discussion

2 Comments

Readme from Github

WinDHCP

Windows DHCP Debug Content Pack for Graylog

##Includes

Input (WinDHCPLogs-gelf - GELF/UDP/5441)
Extractors (WinDHCP_Debug_Log && all ID meaning descriptions)
Dashboard (WinDHCP Summary)

##Requirements

Windows DHCP server configured for "Enable DHCP audit logging" (https://technet.microsoft.com/en-ca/library/cc780941(v=ws.10).aspx)
A GELF capable log exporter/collector such as nxlog or Graylog Collector monitoring the log file path

###Example of a working NXlog.conf file input/output configuration (using Collector Sidecar):

<Input 578f9dbc0ae2f10b1139b6a9>
    Module im_file
    File "C:\Windows\Sysnative\dhcp\DhcpSrvLog-*.log"
    PollInterval 1
    SavePos	True
    ReadFromLast True
    Recursive False
    RenameCheck True
    Exec $FileName = file_name(); # Send file name with each message
</Input>

<Output 578f97f40ae2f10b1139b093>
    Module om_udp
    Host 192.168.20.210
    Port 5441
    OutputType  GELF
    Exec $short_message = $raw_event; # Avoids truncation of the short_message field.
    Exec $gl2_source_collector = 'ae1187a3-48ae-42bc-a820-7033d7438dbd';
    Exec $Hostname = hostname_fqdn();
</Output>

Your Rating

Please sign in to rate this add-on.

Comments

gerdesj almost 4 years ago

In addition to the above a regex of "\d\d," (without the "s) will avoid logging the headers on each file. \Sysnative\ in nxlog finds the system32 directory, but the Graylog file beat works fine with ['C:\Windows\system32\dhcp\DhcpSrvLog-*.log']

gerdesj almost 4 years ago

Windows DHCP logs are CSV formatted and include the schema at the top of each file. Hence an extractor that uses a csv converter instead of many regexes will be cheaper computationally. However, Win DHCP 2012 R2 has an additional field compared to 2008 R2. Here are some examples off running Graylog inputs, I've appended DHCP_ to each one to avoid stomping on other fields:

Win 2008 R2 Fields: DHCP_ID,DHCP_Date,DHCP_Time,DHCP_Description,DHCP_IPAddress,DHCP_HostName,DHCP_MACAddress,DHCP_UserName,DHCP_ TransactionID,DHCP_ QResult,DHCP_Probationtime,DHCP_ CorrelationID,DHCP_Dhcid,DHCP_VendorClass_Hex,DHCP_VendorClass_ASCII,DHCP_UserClass_Hex,DHCP_UserClass_ASCII,DHCP_RelayAgentInformation

Win 2012 R2 Fields: DHCP_ID,DHCP_Date,DHCP_Time,DHCP_Description,DHCP_IPAddress,DHCP_HostName,DHCP_MACAddress,DHCP_UserName,DHCP_ TransactionID,DHCP_ QResult,DHCP_Probationtime,DHCP_ CorrelationID,DHCP_Dhcid,DHCP_VendorClass_Hex,DHCP_VendorClass_ASCII,DHCP_UserClass_Hex,DHCP_UserClass_ASCII,DHCP_RelayAgentInformation,DHCP_DnsRegError

Please sign in to comment.

Back to listing