Hi Rob, the configuration looks good so far. Make sure that the host "re.da.ct.ed" can be accessed by your Windows machine and that port 5441/udp is open and not blocked by a firewall.
Cheers, Jochen On Friday, 3 February 2017 23:10:50 UTC+1, Rob Repp wrote: > > Okay, in order: > > 1. I'm using the OVA VM image from Graylog, so most of the configuration > is already done. All I did was add a Connector with one nxlog input and one > nxlog output, and then the GELF UDP input that the WinDHCP json created. > > The WinDHCP input is configured like this: > > WinDHCPLogs-gelf GELF UDP RUNNING > On node 771f3128 / graylog > <http://172.30.39.100/system/nodes/771f3128-a581-433b-a561-613c6bb8c5bf> > > - bind_address: > 0.0.0.0 > - decompress_size_limit: > 8388608 > - override_source: > *<empty>* > - port: > 5441 > - recv_buffer_size: > 1048576 > > > 2. The nxlog.conf file is: > > define ROOT C:\Program Files (x86)\nxlog > > <Extension gelf> > Module xm_gelf > </Extension> > > Moduledir %ROOT%\modules > CacheDir %ROOT%\data > Pidfile %ROOT%\data\nxlog.pid > SpoolDir %ROOT%\data > LogFile %ROOT%\data\nxlog.log > LogLevel INFO > > <Extension logrotate> > Module xm_fileop > <Schedule> > When @daily > Exec file_cycle('%ROOT%\data\nxlog.log', 7); > </Schedule> > </Extension> > > <Input 588bc33f682c990374bab049> > Module im_file > File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log' > PollInterval 1 > SavePos True > ReadFromLast True > Recursive False > RenameCheck True > Exec $FileName = file_name(); # Send file name with each message > </Input> > > <Output 588bc2db682c990374baafe0> > Module om_udp > Host re.da.ct.ed > Port 5441 > OutputType GELF > Exec $short_message = $raw_event; # Avoids truncation of the short_message > field. > Exec $gl2_source_collector = '9960a8cd-7abe-4021-939f-89b22909aa32'; > Exec $Hostname = hostname_fqdn(); > </Output> > > <Route route-0> > Path 588bc33f682c990374bab049 => 588bc2db682c990374baafe0 > </Route> > > 3. collector_sidecar.yml is this: > > server_url: http://re.da.ct.ed:9000/api > update_interval: 10 > tls_skip_verify: false > send_status: true > list_log_files: > node_id: NS1 > collector_id: file:C:\Program Files\graylog\collector-sidecar\collector-id > cache_path: C:\Program Files\graylog\collector-sidecar\cache > log_path: C:\Program Files\graylog\collector-sidecar\logs > log_rotation_time: 86400 > log_max_age: 604800 > tags: dhcp > backends: > - name: nxlog > enabled: true > binary_path: C:\Program Files (x86)\nxlog\nxlog.exe > configuration_path: C:\Program > Files\graylog\collector-sidecar\generated\nxlog.conf > - name: winlogbeat > enabled: false > binary_path: C:\Program > Files\graylog\collector-sidecar\winlogbeat.exe > configuration_path: C:\Program > Files\graylog\collector-sidecar\generated\winlogbeat.yml > - name: filebeat > enabled: false > binary_path: C:\Program Files\graylog\collector-sidecar\filebeat.exe > configuration_path: C:\Program > Files\graylog\collector-sidecar\generated\filebeat.yml > > > > > > On Friday, February 3, 2017 at 3:21:21 AM UTC-6, Jochen Schalanda wrote: >> >> Hi Rob, >> >> How did you configure Graylog? Which inputs did you create and how did >> you configure them? >> How did you configure the Graylog Collector Sidecar and what's the >> generated nxlog configuration? >> >> Cheers, >> Jochen >> >> On Thursday, 2 February 2017 23:30:20 UTC+1, Rob Repp wrote: >>> >>> I set up a Graylog 2.1.2 server by deploying the downloadable OVA from >>> graylog.org. I'm trying to monitor a Windows 2008 R2 server with the >>> DHCP role installed. The DHCP server deposits activity data into log files >>> at C:\Windows\System32\dhcp\DhcpSrvLog-*.log. I have collector-sidecar and >>> nxlog installed on the Windows machine, and configured to send the log data >>> back to a collector input on the Graylog server. >>> >>> My configuration is based on the WindowsDHCP content pack available in >>> the Graylog marketplace. I imported the content pack json, >>> configured collector-sidecar on Windows and the Graylog collector starting >>> from the sample code at https://github.com/JulioQc/WinDHCP. >>> Unfortunately, when I do "show messages" for the collector, there's nothing >>> coming in. >>> >>> Has anyone had any success with this configuration? If not, is there a >>> better method for monitoring Windows DHCP activity with Graylog? Thanks! >>> >> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/b5d0ddb0-009a-4f2a-8164-b3a3641f5acf%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
