Okay, in order: 1. I'm using the OVA VM image from Graylog, so most of the configuration is already done. All I did was add a Connector with one nxlog input and one nxlog output, and then the GELF UDP input that the WinDHCP json created.
The WinDHCP input is configured like this: WinDHCPLogs-gelf GELF UDP RUNNING On node 771f3128 / graylog <http://172.30.39.100/system/nodes/771f3128-a581-433b-a561-613c6bb8c5bf> - bind_address: 0.0.0.0 - decompress_size_limit: 8388608 - override_source: *<empty>* - port: 5441 - recv_buffer_size: 1048576 2. The nxlog.conf file is: define ROOT C:\Program Files (x86)\nxlog <Extension gelf> Module xm_gelf </Extension> Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO <Extension logrotate> Module xm_fileop <Schedule> When @daily Exec file_cycle('%ROOT%\data\nxlog.log', 7); </Schedule> </Extension> <Input 588bc33f682c990374bab049> Module im_file File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log' PollInterval 1 SavePos True ReadFromLast True Recursive False RenameCheck True Exec $FileName = file_name(); # Send file name with each message </Input> <Output 588bc2db682c990374baafe0> Module om_udp Host re.da.ct.ed Port 5441 OutputType GELF Exec $short_message = $raw_event; # Avoids truncation of the short_message field. Exec $gl2_source_collector = '9960a8cd-7abe-4021-939f-89b22909aa32'; Exec $Hostname = hostname_fqdn(); </Output> <Route route-0> Path 588bc33f682c990374bab049 => 588bc2db682c990374baafe0 </Route> 3. collector_sidecar.yml is this: server_url: http://re.da.ct.ed:9000/api update_interval: 10 tls_skip_verify: false send_status: true list_log_files: node_id: NS1 collector_id: file:C:\Program Files\graylog\collector-sidecar\collector-id cache_path: C:\Program Files\graylog\collector-sidecar\cache log_path: C:\Program Files\graylog\collector-sidecar\logs log_rotation_time: 86400 log_max_age: 604800 tags: dhcp backends: - name: nxlog enabled: true binary_path: C:\Program Files (x86)\nxlog\nxlog.exe configuration_path: C:\Program Files\graylog\collector-sidecar\generated\nxlog.conf - name: winlogbeat enabled: false binary_path: C:\Program Files\graylog\collector-sidecar\winlogbeat.exe configuration_path: C:\Program Files\graylog\collector-sidecar\generated\winlogbeat.yml - name: filebeat enabled: false binary_path: C:\Program Files\graylog\collector-sidecar\filebeat.exe configuration_path: C:\Program Files\graylog\collector-sidecar\generated\filebeat.yml On Friday, February 3, 2017 at 3:21:21 AM UTC-6, Jochen Schalanda wrote: > > Hi Rob, > > How did you configure Graylog? Which inputs did you create and how did you > configure them? > How did you configure the Graylog Collector Sidecar and what's the > generated nxlog configuration? > > Cheers, > Jochen > > On Thursday, 2 February 2017 23:30:20 UTC+1, Rob Repp wrote: >> >> I set up a Graylog 2.1.2 server by deploying the downloadable OVA from >> graylog.org. I'm trying to monitor a Windows 2008 R2 server with the >> DHCP role installed. The DHCP server deposits activity data into log files >> at C:\Windows\System32\dhcp\DhcpSrvLog-*.log. I have collector-sidecar and >> nxlog installed on the Windows machine, and configured to send the log data >> back to a collector input on the Graylog server. >> >> My configuration is based on the WindowsDHCP content pack available in >> the Graylog marketplace. I imported the content pack json, >> configured collector-sidecar on Windows and the Graylog collector starting >> from the sample code at https://github.com/JulioQc/WinDHCP. >> Unfortunately, when I do "show messages" for the collector, there's nothing >> coming in. >> >> Has anyone had any success with this configuration? If not, is there a >> better method for monitoring Windows DHCP activity with Graylog? Thanks! >> > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/543d176c-bd2f-42fb-9fc9-66aa36a474d9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
