Advertisement
Guest User

nxlog_DHCP

a guest
Oct 24th, 2017
279
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.24 KB | None
  1. ## See the nxlog reference manual about the
  2. ## configuration options. It should be installed locally and is also available
  3. ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
  4.  
  5. ## Please set the ROOT to the folder your nxlog was installed into,
  6. ## otherwise it will not start.
  7.  
  8. ## Config file structure
  9. ##
  10. ## nxLog Directory Locations
  11. ## Extensions
  12. ## IIS Log Parsing Modules (If IIS is detected)
  13. ## Input Modules
  14. ## Dedupe for Windows Logs
  15. ## Output Modules
  16. ## Route Modules
  17. ##
  18. # Tested on Server 2008, Server 2008 R2
  19. # Adjust Out modules based on your own logstash configurations
  20.  
  21. define ROOT C:\Program Files (x86)\nxlog
  22.  
  23. Moduledir %ROOT%\modules
  24. CacheDir %ROOT%\data
  25. Pidfile %ROOT%\data\nxlog.pid
  26. SpoolDir %ROOT%\data
  27. LogFile %ROOT%\data\nxlog.log
  28. LogLevel INFO
  29.  
  30.  
  31. #Extensions----------------------------------------------------------------------------------
  32.  
  33. <Extension gelf>
  34. Module xm_gelf
  35. </Extension>
  36.  
  37. <Extension json>
  38. Module xm_json
  39. </Extension>
  40. #Uncomment this and the file out in the DHCP OUT to check output.
  41. #<Extension fileop>
  42. # Module xm_fileop
  43. #</Extension>
  44.  
  45. #Extensions----------------------------------------------------------------------------------
  46.  
  47. # Select the input folder where logs will be scanned
  48. # Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
  49. # Uncomment Extension w3c for IIS logging
  50.  
  51. # Window Event Log
  52. <Input in>
  53. Module im_msvistalog
  54.  
  55. </Input>
  56.  
  57. #Fields obtained from DHCP Server logs
  58. <Extension ParseDHCP>
  59. Module xm_csv
  60.  
  61. Fields $ID ,$Date ,$Time ,$Description ,$IPAddress ,$ReportedHostname ,$MACAddress ,$UserName ,$TransactionID ,$QResult ,$Probationtime ,$CorrelationID ,$Dhcid ,$VendorClass(Hex) ,$VendorClass(ASCII) ,$UserClass(Hex) ,$UserClass(ASCII) ,$RelayAgentInformation ,$DnsRegError
  62. Delimiter ','
  63. </Extension>
  64.  
  65. #DHCP logs assumed they are located in default location
  66. #Use "sysnative" for DHCP Log location for 32-bit applications to access the SYSTEM32 directory on a 64 Bit System
  67. #Use "system32" for DHCP Log location on 32 Bit systems
  68. <Input DHCP_IN>
  69. Module im_file
  70. File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
  71. SavePos TRUE
  72. InputType LineBased
  73. Exec $Message = $raw_event;
  74.  
  75. #Exec if $raw_event =~ /^30/ \
  76. # log_info($raw_event); \
  77. # $IDdef = "DNSUpdateRequest";
  78.  
  79. Exec if $raw_event =~ /^[0-9][0-9],/ \
  80. { \
  81. ParseDHCP->parse_csv(); \
  82. if $raw_event =~ /^00/ $IDdef = "The log was started."; \
  83. if $raw_event =~ /^01/ $IDdef = "The log was stopped."; \
  84. if $raw_event =~ /^02/ $IDdef = "The log was temporarily paused due to low disk space."; \
  85. if $raw_event =~ /^10/ $IDdef = "A new IP address was leased to a client."; \
  86. if $raw_event =~ /^11/ $IDdef = "A lease was renewed by a client."; \
  87. if $raw_event =~ /^12/ $IDdef = "A lease was released by a client."; \
  88. if $raw_event =~ /^13/ $IDdef = "An IP address was found to be in use on the network."; \
  89. if $raw_event =~ /^14/ $IDdef = "A lease request could not be satisfied because the scope's address pool was exhausted."; \
  90. if $raw_event =~ /^15/ $IDdef = "A lease was denied."; \
  91. if $raw_event =~ /^16/ $IDdef = "A lease was deleted."; \
  92. if $raw_event =~ /^17/ $IDdef = "A lease was expired and DNS records for an expired leases have not been deleted."; \
  93. if $raw_event =~ /^18/ $IDdef = "A lease was expired and DNS records were deleted."; \
  94. if $raw_event =~ /^20/ $IDdef = "A BOOTP address was leased to a client."; \
  95. if $raw_event =~ /^21/ $IDdef = "A dynamic BOOTP address was leased to a client."; \
  96. if $raw_event =~ /^22/ $IDdef = "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted."; \
  97. if $raw_event =~ /^23/ $IDdef = "A BOOTP IP address was deleted after checking to see it was not in use."; \
  98. if $raw_event =~ /^24/ $IDdef = "IP address cleanup operation has began."; \
  99. if $raw_event =~ /^25/ $IDdef = "IP address cleanup statistics."; \
  100. if $raw_event =~ /^30/ $IDdef = "DNS update request to the named DNS server."; \
  101. if $raw_event =~ /^31/ $IDdef = "DNS update failed."; \
  102. if $raw_event =~ /^32/ $IDdef = "DNS update successful."; \
  103. if $raw_event =~ /^33/ $IDdef = "Packet dropped due to NAP policy."; \
  104. if $raw_event =~ /^34/ $IDdef = "DNS update request failed.as the DNS update request queue limit exceeded."; \
  105. if $raw_event =~ /^35/ $IDdef = "DNS update request failed."; \
  106. if $raw_event =~ /^36/ $IDdef = "Packet dropped because the server is in failover standby role or the hash of the client ID does not match."; \
  107. if $raw_event =~ /^[5-9][0-9]/ $IDdef = "Codes above 50 are used for Rogue Server Detection information."; \
  108. if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,0,/ $QResultDef = "NoQuarantine"; \
  109. if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,1,/ $QResultDef = "Quarantine"; \
  110. if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,2,/ $QResultDef = "Drop Packet"; \
  111. if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,3,/ $QResultDef = "Probation"; \
  112. if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,6,/ $QResultDef = "No Quarantine Information ProbationTime:Year-Month-Day Hour:Minute:Second:MilliSecond."; \
  113. $host = hostname_fqdn(); \
  114. $EventTime = parsedate($Date + " " + $Time); \
  115. $SourceName = "DHCPEvents"; \
  116. $Message = to_json(); \
  117. } \
  118. else \
  119. drop();
  120.  
  121. </Input>
  122.  
  123. <Processor dedupe>
  124. Module pm_norepeat
  125. </Processor>
  126.  
  127. <Output out>
  128. Module om_udp
  129. OutputType GELF
  130. Host gelflog.cshl.edu
  131. Port 12201
  132. </Output>
  133.  
  134. #Uncomment Exec file_write to view output. Usefull for debugging purposes
  135. <Output DHCP_Out>
  136. Module om_udp
  137. OutputType GELF
  138. Host 10.0.10.12
  139. #Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_json.log", $json);
  140. #Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_message.log", $message);
  141. #Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_raw.log", $raw_event);
  142. Port 5441
  143. </Output>
  144.  
  145. <Route win_1>
  146. Path in => dedupe => out
  147. </Route>
  148.  
  149. <Route DHCP>
  150. Path DHCP_IN => DHCP_OUT
  151. </Route>
Advertisement
RAW Paste Data Copied
Advertisement