Log Server no DHCP Messages

[dcancela]

Hello all,

I have setup and installed Nagios Log Server and added all my servers. Everything seems to be working fine, but i noticed i do not get DHCP messages for me to monitor (like IP address changes). DHCP audit logging is turned on on the DHCP servers, but I'm guessing I missed something...

Any help is greatly appreciated!

[rkennedy]

Just to make sure, are you forwarding the DHCP audig logging to a log file that NLS is receiving data for? What OS is the client machine running?

[dcancela]

The audit logging is enabled and is going to the default location. The server OS is Windows Server 2012 R2.

[rkennedy]

Can you post your NXLog configuration for us to look at?

[dcancela]

Sure! It's basically the default but here it is:

(Edited hostname and port for security reasons)

## See the nxlog reference manual at
## http://nxlog.org/nxlog-docs/en/nxlog-re ... anual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
#</Extension>

<Extension json>
Module xm_json
</Extension>

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
Module im_internal
</Input>

# Watch your own files
<Input file1>
Module im_file
File '%ROOT%\data\nxlog.log'
SavePos TRUE
Exec $Message = $raw_event;
</Input>

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog

# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
</Input>

<Output out>
Module om_tcp
Host xxxxxxxxxxx
Port xxxx

Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();

# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

<Route 1>
Path internal, file1, eventlog => out
</Route>

[rkennedy]

I was trying to find more information about 2012, but I believe this will still apply (mentions 2008R2). Take a look at this article - https://technet.microsoft.com/en-us/lib ... 11%29.aspx

Basically, from what I understand, what it outlines is that DHCP does not log to event log, but rather %windir%\System32\Dhcp (where %windir% is C:\Windows).

We can add that file to be logged though using NLS, just take a bit of manual setup. From the Home screen, click Windows Source (like you did before), then look at the bottom where it says 'Set Up More Sources' and click 'Windows Files'. This page explains what needs to be done, but I'll modify it for what you're looking to do.

You'll need to make modifications to your nxlog configuration, similar to below -

Code: Select all

    # Watch your own files
    <Input dhcplogging>
        Module   im_file
        File     'C:\Windows\System32\Dhcp'
        SavePos  TRUE
        Exec     $Message = $raw_event;
    </Input>

Add the above part below this -

Code: Select all

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog

# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
</Input>

Then modify the route part to be -

Code: Select all

<Route 1>
Path internal, file1, eventlog, dhcplogging => out
</Route>

Now restart the nxlog service, and it should start picking up on the DHCP log file.

[dcancela]

Yeah i saw that also but i was confused with one thing. In the line for the file path ('C:\path\to\target\file'), shouldnt it point to a specific file? Or will just the dhcp folder path work?

So instead of 'C:\path\to\target\file' i would be using 'C:\path\to\target\folder' ?

[hsmith]

Use 'C:\path\to\target\file'. We don't have a Windows DHCP server here, so the file path rkennedy provided may not have been exact.

[dcancela]

Right so in this case, the DHCP logs creates a DHCP log file for each day of the week. So is there a way to add the 7 DHCP log files together?

[hsmith]

See if this works:

'C:\path\to\target\files\*.log'