windows server 2016

[blbecmatej]

hi,

i have the problem with dhcp log, i am using the sidecar collector and i dont know where there might be a problem.

i am using patch C:\Windows\Sysnative\dhcp\DhcpSrvLog-Tue.log for testing.

this is the log in nxlog:

my sidecar configuration:

nxlog configuration:

sidecar configuration in graylog:

Any idea of why please ? Thanks.

[JulioQc]

Yes, try replacing sysnative by system32 or syswow64 in the path

[blbecmatej]

thanks, it work.

now i have problem with parse these logs, i know it is off topic, but i need parse any value of message to fields in grayling. Is there any options to do that automatic or i must use extractor in graylog to extract value from message ? i mean something like this https://pastebin.com/4pjFmqRG

[JulioQc]

Well the content pack includes the extractors for graylog. So that should parse everything into nice searchable fields like you want. Note however that I did not have the opportunity to test on Win2016 so if the DHCP log format changed, it might not parse correctly. If that's the case, you're more than welcome to fork my work and adjust for 2016 :)

[JulioQc]

Side note, I'll make an 2016 version once I get to it but I can't reasonably provide an ETA on that :(

[blbecmatej]

ok, there is the log from graylog and and I think it's the same as on Win 2012 R2.

and in this case, nothing was parsed, expect ID_Description and time. :(

[JulioQc]

Can you post a line from the actual DHCP log for comparison?

[blbecmatej]

ok, there is the log with a few others records.

[JulioQc]

Please post them as plain text so I can compare easily :) But at first glance there see to be more fields...

[blbecmatej]

31,10/24/17,17:22:14,DNS Update Failed,10.0.32.100,DESKTOP-39HQR3F.acskola.cz,,,0,6,,,,,,,,,9002 31,10/24/17,17:22:14,DNS Update Failed,10.0.32.101,VM-STUD01.acskola.cz,,,0,6,,,,,,,,,9002 31,10/24/17,17:22:14,DNS Update Failed,10.0.32.102,DESKTOP-39HQR3F.acskola.cz,,,0,6,,,,,,,,,9002 31,10/24/17,17:22:14,DNS Update Failed,10.0.36.100,DESKTOP-39HQR3F.acskola.cz,,,0,6,,,,,,,,,9002 31,10/24/17,17:22:14,DNS Update Failed,10.0.36.101,VM-ZAM01.acskola.cz,,,0,6,,,,,,,,,9002 31,10/24/17,17:22:14,DNS Update Failed,10.20.0.100,DESKTOP-39HQR3F.acskola.cz,,,0,6,,,,,,,,,9002 31,10/24/17,17:22:14,DNS Update Failed,10.21.0.100,DESKTOP-39HQR3F.acskola.cz,,,0,6,,,,,,,,,9002 11,10/24/17,18:19:46,Renew,172.22.0.110,android-1e2400e714d055e9,30A8DBAF97D8,,1477509350,0,,,,0x6468637063642D352E352E36,dhcpcd-5.5.6,,,0x0109696E7465726E616C32,0 24,10/24/17,18:22:14,Database Cleanup Begin,,,,,0,6,,,,,,,,,0 30,10/24/17,18:22:14,DNS Update Request,172.22.0.102,DESKTOP-39HQR3F,,,0,6,,,,,,,,,0 30,10/24/17,18:22:14,DNS Update Request,172.22.0.104,Windows-Phone,,,0,6,,,,,,,,,0 30,10/24/17,18:22:14,DNS Update Request,172.22.0.107,DESKTOP-39HQR3F,,,0,6,,,,,,,,,0 30,10/24/17,18:22:14,DNS Update Request,172.22.0.112,Windows-Phone,,,0,6,,,,,,,,,0 30,10/24/17,18:22:14,DNS Update Request,172.22.0.115,DESKTOP-39HQR3F,,,0,6,,,,,,,,,0 30,10/24/17,18:22:14,DNS Update Request,172.22.0.116,DESKTOP-39HQR3F,,,0,6,,,,,,,,,0 30,10/24/17,18:22:14,DNS Update Request,10.0.32.100,DESKTOP-39HQR3F.acskola.cz,,,0,6,,,,,,,,,0 30,10/24/17,18:22:14,DNS Update Request,10.0.32.101,VM-STUD01.acskola.cz,,,0,6,,,,,,,,,0 30,10/24/17,18:22:14,DNS Update Request,10.0.32.102,DESKTOP-39HQR3F.acskola.cz,,,0,6,,,,,,,,,0 30,10/24/17,18:22:14,DNS Update Request,10.0.36.100,DESKTOP-39HQR3F.acskola.cz,,,0,6,,,,,,,,,0 30,10/24/17,18:22:14,DNS Update Request,10.0.36.101,VM-ZAM01.acskola.cz,,,0,6,,,,,,,,,0 30,10/24/17,18:22:14,DNS Update Request,10.20.0.100,DESKTOP-39HQR3F.acskola.cz,,,0,6,,,,,,,,,0 30,10/24/17,18:22:14,DNS Update Request,10.21.0.100,DESKTOP-39HQR3F.acskola.cz,,,0,6,,,,,,,,,0 25,10/24/17,18:22:14,0 leases expired and 0 leases deleted,,,,,0,6,,,,,,,,,0 25,10/24/17,18:22:14,0 leases expired and 0 leases deleted,,,,,0,6,,,,,,,,,0

[JulioQc]

Thanks mate. I count 19 fields now when it was at 10 previously. And they seem reorganized :( I based my extractor based on this doc: https://technet.microsoft.com/en-us/library/dd183591%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 So I'll have to find the relevant documentation to update the extractor with the new DHCP format... any help is welcomed

[blbecmatej]

I thank you mate, for your interest :).

here i added the fields name from DHCP log.

Microsoft DHCP Service Activity Log

Event ID Meaning 00 The log was started. 01 The log was stopped. 02 The log was temporarily paused due to low disk space. 10 A new IP address was leased to a client. 11 A lease was renewed by a client. 12 A lease was released by a client. 13 An IP address was found to be in use on the network. 14 A lease request could not be satisfied because the scope's address pool was exhausted. 15 A lease was denied. 16 A lease was deleted. 17 A lease was expired and DNS records for an expired leases have not been deleted. 18 A lease was expired and DNS records were deleted. 20 A BOOTP address was leased to a client. 21 A dynamic BOOTP address was leased to a client. 22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. 23 A BOOTP IP address was deleted after checking to see it was not in use. 24 IP address cleanup operation has began. 25 IP address cleanup statistics. 30 DNS update request to the named DNS server. 31 DNS update failed. 32 DNS update successful. 33 Packet dropped due to NAP policy. 34 DNS update request failed.as the DNS update request queue limit exceeded. 35 DNS update request failed. 36 Packet dropped because the server is in failover standby role or the hash of the client ID does not match. 50+ Codes above 50 are used for Rogue Server Detection information.

QResult: 0: NoQuarantine, 1:Quarantine, 2:Drop Packet, 3:Probation,6:No Quarantine Information ProbationTime:Year-Month-Day Hour:Minute:Second:MilliSecond.

ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID,Dhcid,VendorClass(Hex),VendorClass(ASCII),UserClass(Hex),UserClass(ASCII),RelayAgentInformation,DnsRegError.

[JulioQc]

We'll be migrating to 2016 fairly soon so I'll end up with the same problem eventually. Might as well deal with it now and if it can help someone while at it, why not :)

I can't provide an ETA but it'll get to it, promised!

[blbecmatej]

that would be perfect if you update the extractor with the new DHCP format. i need this to look for user by MAC address.

thank you mate :)

[blbecmatej]

now i have found it this https://gist.github.com/Eagle6705/3d91b2270bf60b7cff12. i was wondering if i delete IIS lines and create gelf input in graylog it could be work.

[JulioQc]

As mentioned in the comments: "Tested on Server 2008, Server 2008 R2" So no, you'll likely end up with the same result as with my content pack.

[blbecmatej]

it is true, my bad. all I have done now is that I am split message by "," in graylog. :)

[JulioQc]

Yes, that should be fairly simple to achieve, even using the CSV parser :) Problem is assigning a meaning to all those fields

[blbecmatej]

yes, but i need only IP, MAC address, timestamp and there is the issue, because it set up the timestamp to the delivery time and with +1 second poll interval.

do you know how to fix it please? I think it should be on the nxlog side, because i cant rewrite timestamp in graylog. :(

thank you !

[ritterrs]

Hi,

Sorry if I write something wrong I am new in Graylog, I've try this plugin and it seems ok for me with Windows Server 2016, but it seems that Dashboard is not working. Can you help me with some instructions?

• I imported content pack and I am receiving logs

• Dashboard is empty

Thank you

[JulioQc]

Mmm looks like your messages aren't get parsed at all... make sure the extractors for the input are there.

[ritterrs]

If they should look like this:

they are there.

I think that problem is with gl2_source_input? Is it possible to edit this value on imported content pack or I should re-import content pack and dashboard?

[JulioQc]

The content pack is in JSON format so you should be able to easily modify it