API tools faq
paste
Advertisement
Guest User

nxlog_DHCP

a guest
Oct 24th, 2017
279
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.24 KB | None
Copied copy raw download clone embed print report
  1. ## See the nxlog reference manual about the
  2. ## configuration options. It should be installed locally and is also available
  3. ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
  4.  
  5. ## Please set the ROOT to the folder your nxlog was installed into,
  6. ## otherwise it will not start.
  7.  
  8. ## Config file structure
  9. ##
  10. ## nxLog Directory Locations
  11. ## Extensions
  12. ## IIS Log Parsing Modules (If IIS is detected)
  13. ## Input Modules
  14. ## Dedupe for Windows Logs
  15. ## Output Modules
  16. ## Route Modules
  17. ##
  18. # Tested on Server 2008, Server 2008 R2
  19. # Adjust Out modules based on your own logstash configurations
  20.  
  21. define ROOT C:\Program Files (x86)\nxlog
  22.  
  23. Moduledir %ROOT%\modules
  24. CacheDir %ROOT%\data
  25. Pidfile %ROOT%\data\nxlog.pid
  26. SpoolDir %ROOT%\data
  27. LogFile %ROOT%\data\nxlog.log
  28. LogLevel INFO
  29.  
  30.  
  31. #Extensions----------------------------------------------------------------------------------
  32.  
  33. <Extension gelf>
  34. Module xm_gelf
  35. </Extension>
  36.  
  37. <Extension json>
  38. Module xm_json
  39. </Extension>
  40. #Uncomment this and the file out in the DHCP OUT to check output.
  41. #<Extension fileop>
  42. # Module xm_fileop
  43. #</Extension>
  44.  
  45. #Extensions----------------------------------------------------------------------------------
  46.  
  47. # Select the input folder where logs will be scanned
  48. # Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
  49. # Uncomment Extension w3c for IIS logging
  50.  
  51. # Window Event Log
  52. <Input in>
  53. Module im_msvistalog
  54.  
  55. </Input>
  56.  
  57. #Fields obtained from DHCP Server logs
  58. <Extension ParseDHCP>
  59. Module xm_csv
  60.  
  61. Fields $ID ,$Date ,$Time ,$Description ,$IPAddress ,$ReportedHostname ,$MACAddress ,$UserName ,$TransactionID ,$QResult ,$Probationtime ,$CorrelationID ,$Dhcid ,$VendorClass(Hex) ,$VendorClass(ASCII) ,$UserClass(Hex) ,$UserClass(ASCII) ,$RelayAgentInformation ,$DnsRegError
  62. Delimiter ','
  63. </Extension>
  64.  
  65. #DHCP logs assumed they are located in default location
  66. #Use "sysnative" for DHCP Log location for 32-bit applications to access the SYSTEM32 directory on a 64 Bit System
  67. #Use "system32" for DHCP Log location on 32 Bit systems
  68. <Input DHCP_IN>
  69. Module im_file
  70. File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
  71. SavePos TRUE
  72. InputType LineBased
  73. Exec $Message = $raw_event;
  74.  
  75. #Exec if $raw_event =~ /^30/ \
  76. # log_info($raw_event); \
  77. # $IDdef = "DNSUpdateRequest";
  78.  
  79. Exec if $raw_event =~ /^[0-9][0-9],/ \
  80. { \
  81. ParseDHCP->parse_csv(); \
  82. if $raw_event =~ /^00/ $IDdef = "The log was started."; \
  83. if $raw_event =~ /^01/ $IDdef = "The log was stopped."; \
  84. if $raw_event =~ /^02/ $IDdef = "The log was temporarily paused due to low disk space."; \
  85. if $raw_event =~ /^10/ $IDdef = "A new IP address was leased to a client."; \
  86. if $raw_event =~ /^11/ $IDdef = "A lease was renewed by a client."; \
  87. if $raw_event =~ /^12/ $IDdef = "A lease was released by a client."; \
  88. if $raw_event =~ /^13/ $IDdef = "An IP address was found to be in use on the network."; \
  89. if $raw_event =~ /^14/ $IDdef = "A lease request could not be satisfied because the scope's address pool was exhausted."; \
  90. if $raw_event =~ /^15/ $IDdef = "A lease was denied."; \
  91. if $raw_event =~ /^16/ $IDdef = "A lease was deleted."; \
  92. if $raw_event =~ /^17/ $IDdef = "A lease was expired and DNS records for an expired leases have not been deleted."; \
  93. if $raw_event =~ /^18/ $IDdef = "A lease was expired and DNS records were deleted."; \
  94. if $raw_event =~ /^20/ $IDdef = "A BOOTP address was leased to a client."; \
  95. if $raw_event =~ /^21/ $IDdef = "A dynamic BOOTP address was leased to a client."; \
  96. if $raw_event =~ /^22/ $IDdef = "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted."; \
  97. if $raw_event =~ /^23/ $IDdef = "A BOOTP IP address was deleted after checking to see it was not in use."; \
  98. if $raw_event =~ /^24/ $IDdef = "IP address cleanup operation has began."; \
  99. if $raw_event =~ /^25/ $IDdef = "IP address cleanup statistics."; \
  100. if $raw_event =~ /^30/ $IDdef = "DNS update request to the named DNS server."; \
  101. if $raw_event =~ /^31/ $IDdef = "DNS update failed."; \
  102. if $raw_event =~ /^32/ $IDdef = "DNS update successful."; \
  103. if $raw_event =~ /^33/ $IDdef = "Packet dropped due to NAP policy."; \
  104. if $raw_event =~ /^34/ $IDdef = "DNS update request failed.as the DNS update request queue limit exceeded."; \
  105. if $raw_event =~ /^35/ $IDdef = "DNS update request failed."; \
  106. if $raw_event =~ /^36/ $IDdef = "Packet dropped because the server is in failover standby role or the hash of the client ID does not match."; \
  107. if $raw_event =~ /^[5-9][0-9]/ $IDdef = "Codes above 50 are used for Rogue Server Detection information."; \
  108. if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,0,/ $QResultDef = "NoQuarantine"; \
  109. if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,1,/ $QResultDef = "Quarantine"; \
  110. if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,2,/ $QResultDef = "Drop Packet"; \
  111. if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,3,/ $QResultDef = "Probation"; \
  112. if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,6,/ $QResultDef = "No Quarantine Information ProbationTime:Year-Month-Day Hour:Minute:Second:MilliSecond."; \
  113. $host = hostname_fqdn(); \
  114. $EventTime = parsedate($Date + " " + $Time); \
  115. $SourceName = "DHCPEvents"; \
  116. $Message = to_json(); \
  117. } \
  118. else \
  119. drop();
  120.  
  121. </Input>
  122.  
  123. <Processor dedupe>
  124. Module pm_norepeat
  125. </Processor>
  126.  
  127. <Output out>
  128. Module om_udp
  129. OutputType GELF
  130. Host gelflog.cshl.edu
  131. Port 12201
  132. </Output>
  133.  
  134. #Uncomment Exec file_write to view output. Usefull for debugging purposes
  135. <Output DHCP_Out>
  136. Module om_udp
  137. OutputType GELF
  138. Host 10.0.10.12
  139. #Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_json.log", $json);
  140. #Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_message.log", $message);
  141. #Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_raw.log", $raw_event);
  142. Port 5441
  143. </Output>
  144.  
  145. <Route win_1>
  146. Path in => dedupe => out
  147. </Route>
  148.  
  149. <Route DHCP>
  150. Path DHCP_IN => DHCP_OUT
  151. </Route>
Advertisement
RAW Paste Data Copied
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!