Hi Rob, the configuration looks good so far. Make sure that the host "re.da.ct.ed" can be accessed by your Windows machine and that port 5441/udp is open and not blocked by a firewall.
Cheers, Jochen On Friday, 3 February 2017 23:10:50 UTC+1, Rob Repp wrote: > > Okay, in order: > > 1. I'm using the OVA VM image from Graylog, so most of the configuration > is already done. All I did was add a Connector with one nxlog input and one > nxlog output, and then the GELF UDP input that the WinDHCP json created. > > The WinDHCP input is configured like this: > > WinDHCPLogs-gelf GELF UDP RUNNING > On node 771f3128 / graylog > <http://172.30.39.100/system/nodes/771f3128-a581-433b-a561-613c6bb8c5bf> > > - bind_address: > 0.0.0.0 > - decompress_size_limit: > 8388608 > - override_source: > *<empty>* > - port: > 5441 > - recv_buffer_size: > 1048576 > > > 2. The nxlog.conf file is: > > define ROOT C:\Program Files (x86)\nxlog > > <Extension gelf> > Module xm_gelf > </Extension> > > Moduledir %ROOT%\modules > CacheDir %ROOT%\data > Pidfile %ROOT%\data\nxlog.pid > SpoolDir %ROOT%\data > LogFile %ROOT%\data\nxlog.log > LogLevel INFO > > <Extension logrotate> > Module xm_fileop > <Schedule> > When @daily > Exec file_cycle('%ROOT%\data\nxlog.log', 7); > </Schedule> > </Extension> > > <Input 588bc33f682c990374bab049> > Module im_file > File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log' > PollInterval 1 > SavePos True > ReadFromLast True > Recursive False > RenameCheck True > Exec $FileName = file_name(); # Send file name with each message > </Input> > > <Output 588bc2db682c990374baafe0> > Module om_udp > Host re.da.ct.ed > Port 5441 > OutputType GELF > Exec $short_message = $raw_event; # Avoids truncation of the short_message > field. > Exec $gl2_source_collector = '9960a8cd-7abe-4021-939f-89b22909aa32'; > Exec $Hostname = hostname_fqdn(); > </Output> > > <Route route-0> > Path 588bc33f682c990374bab049 => 588bc2db682c990374baafe0 > </Route> > > 3. collector_sidecar.yml is this: > > server_url: http://re.da.ct.ed:9000/api > update_interval: 10 > tls_skip_verify: false > send_status: true > list_log_files: > node_id: NS1 > collector_id: file:C:\Program Files\graylog\collector-sidecar\collector-id > cache_path: C:\Program Files\graylog\collector-sidecar\cache > log_path: C:\Program Files\graylog\collector-sidecar\logs > log_rotation_time: 86400 > log_max_age: 604800 > tags: dhcp > backends: > - name: nxlog > enabled: true > binary_path: C:\Program Files (x86)\nxlog\nxlog.exe > configuration_path: C:\Program > Files\graylog\collector-sidecar\generated\nxlog.conf > - name: winlogbeat > enabled: false > binary_path: C:\Program > Files\graylog\collector-sidecar\winlogbeat.exe > configuration_path: C:\Program > Files\graylog\collector-sidecar\generated\winlogbeat.yml > - name: filebeat > enabled: false > binary_path: C:\Program Files\graylog\collector-sidecar\filebeat.exe > configuration_path: C:\Program > Files\graylog\collector-sidecar\generated\filebeat.yml > > > > > > On Friday, February 3, 2017 at 3:21:21 AM UTC-6, Jochen Schalanda wrote: >> >> Hi Rob, >> >> How did you configure Graylog? Which inputs did you create and how did >> you configure them? >> How did you configure the Graylog Collector Sidecar and what's the >> generated nxlog configuration? >> >> Cheers, >> Jochen >> >> On Thursday, 2 February 2017 23:30:20 UTC+1, Rob Repp wrote: >>> >>> I set up a Graylog 2.1.2 server by deploying the downloadable OVA from >>> graylog.org. I'm trying to monitor a Windows 2008 R2 server with the >>> DHCP role installed. The DHCP server deposits activity data into log files >>> at C:\Windows\System32\dhcp\DhcpSrvLog-*.log. I have collector-sidecar and >>> nxlog installed on the Windows machine, and configured to send the log data >>> back to a collector input on the Graylog server. >>> >>> My configuration is based on the WindowsDHCP content pack available in >>> the Graylog marketplace. I imported the content pack json, >>> configured collector-sidecar on Windows and the Graylog collector starting >>> from the sample code at https://github.com/JulioQc/WinDHCP. >>> Unfortunately, when I do "show messages" for the collector, there's nothing >>> coming in. >>> >>> Has anyone had any success with this configuration? If not, is there a >>> better method for monitoring Windows DHCP activity with Graylog? Thanks! >>> >> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/b5d0ddb0-009a-4f2a-8164-b3a3641f5acf%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
