Ok, the IPv6 logs decoder was working. However, the IPv4 decoder was not.
The prematch that you had in the IPv4 was looking for a 4 digit year field
instead of a 2 digit year. Looking back at the log samples I provided, they
DO have a 4 digit year. The only thing I can think happened is that I
imported the logs into excel to remove duplicate IDs and it must have
changed the date field from a 2 digit year to a 4 digit year... Oops! I made
the following change to the decoder and now it works.
From
<prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,</prematch>
To
<prematch>^\d\d,\d+/\d+/\d+,\d+:\d+:\d+,</prematch>
OR
<prematch>^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+,</prematch>
As far as the problem of the ossec-agent not being able to read the file,
I'm not sure why that is cropping up. The ossec-agent I had on my dhcp
server wasn't logging properly. I uninstalled the agent and reinstalled it
and now it's logging. I'll see what else I can come up with from the logs.
It does appear that after a week, the agent no longer detects changes to the
log files until either the DHCP service is restarted or the ossec agent is
restarted. Any idea why that would be happening?
I've tried to tell the ossec-agent to look just at
%windir%\system32\dhcp\*.log and defined all of the following logs. In both
cases, it stops detecting changes to the logs after one week.
I don't know how the ossec-agent determines there have been changes to a
log. Is it when it detects a change in the log file itself or does it look
at the timestamp or compare the file hash?
The way that the MS DHCP server logs is as follows: It writes to a log file
per day in the following format.
05/24/2009 12:00 AM 160,246 DhcpSrvLog-Sat.log
05/25/2009 12:00 AM 202,731 DhcpSrvLog-Sun.log
05/26/2009 12:00 AM 159,728 DhcpSrvLog-Mon.log
05/27/2009 12:00 AM 237,552 DhcpSrvLog-Tue.log
05/28/2009 12:00 AM 218,171 DhcpSrvLog-Wed.log
05/29/2009 12:00 AM 284,141 DhcpSrvLog-Thu.log
05/29/2009 01:12 PM 145,251 DhcpSrvLog-Fri.log
When the day is over and it's time to move to the next log file, it clears
the previous week's daily file and starts over. When it clears the log file,
the log always begins with the following;
<file>
Microsoft DHCP Service Activity Log
<blank line>
<blank line>
Event ID Meaning
00 The log was started.
01 The log was stopped.
02 The log was temporarily paused due to low disk space.
10 A new IP address was leased to a client.
11 A lease was renewed by a client.
12 A lease was released by a client.
13 An IP address was found to be in use on the network.
14 A lease request could not be satisfied because the scope's
address pool was exhausted.
15 A lease was denied.
16 A lease was deleted.
17 A lease was expired.
20 A BOOTP address was leased to a client.
21 A dynamic BOOTP address was leased to a client.
22 A BOOTP request could not be satisfied because the scope's
address pool for BOOTP was exhausted.
23 A BOOTP IP address was deleted after checking to see it was
not in use.
24 IP address cleanup operation has began.
25 IP address cleanup statistics.
30 DNS update request to the named DNS server
31 DNS update failed
32 DNS update successful
50+ Codes above 50 are used for Rogue Server Detection information.
<blank line>
ID,Date,Time,Description,IP Address,Host Name,MAC Address
<insert events here and below, one alert per line>
</file>
Thanks again,
phishphreek
