Unable to ship DHCP logs

[dlukinski]

Hello LOG Support

We are unable to ship DHCP logs to the LOG server:

failed to open directory: C:\\Windows\\system32\\dhcp: The system cannot find the path specified. "}

------------------------------------------------------------
<Input windowsfile>
Module im_file
File 'C:\Windows\system32\dhcp\dhcpsvrlog*.*' or 'C:\Windows\system32\dhcp\dhcpsvrlog*'
SavePos TRUE
# ReadFromLast FALSE
Exec $Message = $raw_event;
</Input>
-------------------------------------------------------------
- just does not work

Please help

[cdienger]

"Or" doesn't appear to be a valid option. Try:

Code: Select all

<Input windowsfile>
Module im_file
File 'C:\Windows\system32\dhcp\dhcpsvrlog*'
SavePos TRUE
# ReadFromLast FALSE
Exec $Message = $raw_event;
</Input>

test again, and PM me a complete copy of the configuration as well as nxlog.log if there are still problems.

[dlukinski]

"Or" doesn't appear to be a valid option. Try:

Code: Select all

<Input windowsfile>
Module im_file
File 'C:\Windows\system32\dhcp\dhcpsvrlog*'
SavePos TRUE
# ReadFromLast FALSE
Exec $Message = $raw_event;
</Input>

test again, and PM me a complete copy of the configuration as well as nxlog.log if there are still problems.

----------------------------------------------------------------------------------------------------------------------------------------
Hi

By OR I meant trying both paths (no luck)
Attached conf file.
---------------------
#
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Mon, 04 Mar 2019 14:48:31 +0000
#

#
# Global inputs
#

input {
tcp {
port => 514
type => switchlog
}
udp {
port => 514
type => switchlog
}
tcp {
type => 'eventlog'
port => 3515
codec => json {
charset => 'CP1252'
}
}
tcp {
type => 'import_raw'
tags => 'import_raw'
port => 2056
}
tcp {
type => 'import_json'
tags => 'import_json'
port => 2057
codec => json
}
tcp {
port => 4444
type => SIEBELappLOG
}
udp {
port => 4444
type => SIEBELappLOG
}
tcp {
port => 4445
type => TCappLOG
}
udp {
port => 4445
type => TCappLOG
}
tcp {
type => 'ADFSeventlog'
port => 3516
codec => json {
charset => 'CP1252'
}
}
tcp {
port => 5544
type => syslog
}
udp {
port => 5544
type => syslog
}
tcp {
port => 4446
type => SKYBOTappLOG
}
udp {
port => 4446
type => SKYBOTappLOG
}
tcp {
port => 4447
type => EFECTEappLOG
}
udp {
port => 4447
type => EFECTEappLOG
}
tcp {
port => 5545
type => syslog
}
udp {
port => 5545
type => syslog
}
tcp {
port => 4448
type => RPAROBPappLOG
}
udp {
port => 4448
type => RPAROBPappLOG
}
tcp {
port => 4450
type => SELENIUMLOG
}
udp {
port => 4450
type => SELENIUMLOG
}
tcp {
port => 5546
type => DHCPlog
}
udp {
port => 5546
type => DHCPlog
}
}

#
# Local inputs
#



#
# Global filters
#

filter {
if [program] == 'apache_access' {
grok {
match => [ 'message', '%{COMBINEDAPACHELOG}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
}

if [program] == 'apache_error' {
grok {
match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
}
mutate {
replace => [ 'type', 'apache_error' ]
}
}
if [type] == "syslog" {
grok {
match => { "message" => "<%{POSINT:pri}>%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:logsource} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:syslog_message}" }
}
}
}

#
# Local filters
#



#
# Global outputs
#



#
# Local outputs
#

[cdienger]

Try replacing 'system32' with 'Sysnative' per the comment in https://nxlog.co/question/1848/nxlogcon ... -file-path

[dlukinski]

Try replacing 'system32' with 'Sysnative' per the comment in https://nxlog.co/question/1848/nxlogcon ... -file-path

Same error:

{"EventTime":"2019-03-04 16:46:19","Hostname":"FIKC-DHCP02","SeverityValue":4,"Severity":"ERROR","SourceName":"nxlog-ce","ProcessID":6916,"ErrorCode":720003,"EventReceivedTime":"2019-03-04 16:46:19","SourceModuleName":"internal","SourceModuleType":"im_internal","message":"failed to open directory: C:\\Windows\\system32\\dhcp: The system cannot find the path specified. "}

[cdienger]

Can you provide the current nxlog.conf using the sysnative directory so that we can confirm the config? I've been able to reproduce the problem and this resolved the problem in my case. What version of Windows and nxlog is currently installed? An update to the package that ships with NLS can be found at https://nxlog.co/products/nxlog-communi ... n/download. Try the latest to see if that resolves the issue.

[dlukinski]

Can you provide the current nxlog.conf using the sysnative directory so that we can confirm the config? I've been able to reproduce the problem and this resolved the problem in my case. What version of Windows and nxlog is currently installed? An update to the package that ships with NLS can be found at https://nxlog.co/products/nxlog-communi ... n/download. Try the latest to see if that resolves the issue.

Hi, here is the conf file attached

We now get this error:
"Module windowsfile has no input files to read"

[cdienger]

That may be promising - I get the same message if there isn't a file in that directory that matches the wildcard expression. Is there a file in there that matches DhcpSvrLog-*.log ? Make sure there aren't any spaces hiding in the name.

[dlukinski]

That may be promising - I get the same message if there isn't a file in that directory that matches the wildcard expression. Is there a file in there that matches DhcpSvrLog-*.log ? Make sure there aren't any spaces hiding in the name.

All these files as attached (live server), but nothing is being shipped to Nagios Log

[cdienger]

Try creating a new folder, configuring nxlog to pull logs from that new folder, and then copying the files over to the new folder. I'm not sure what nxlog seems to be having a problem finding these files, but this may be a work around.