[ossec-list] MS DHCP Logs?

Tue, 23 Oct 2012 12:38:46 -0700 

I see there is an MS DHCP parser, but I'm not having much success in 
getting it to work in a stable fashion.    The log file names are 
DhcpSrvLog-Sun.log, DhcpSrvLog-Mon.log, etc and so rotate on a weekly basis 
- the naming convention is not configurable.   

The first agent config sample my google-fu turned up the following:

<ossec_config>
  <localfile>
    <location>%windir%\system32\dhcp\*.log</location>
    <log_format>syslog</log_format>
  </localfile>
</ossec_config>

That did not work as MS logs can't be wildcarded.    I then added the 
individual log files:

  <localfile>
    <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Sun.log</location>
    <log_format>syslog</log_format>
  </localfile>
  <localfile>
    <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Mon.log</location>
    <log_format>syslog</log_format>
  </localfile>
  <localfile>
    <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Tue.log</location>
    <log_format>syslog</log_format>
  </localfile>
  <localfile>
    <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Wed.log</location>
    <log_format>syslog</log_format>
  </localfile>
  <localfile>
    <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Thu.log</location>
    <log_format>syslog</log_format>
  </localfile>
  <localfile>
    <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Fri.log</location>
    <log_format>syslog</log_format>
  </localfile>
  <localfile>
    <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Sat.log</location>
    <log_format>syslog</log_format>
  </localfile>

This seemed to work at first... but it doesn't seem to handle the rotation 
and dies when the next log day up is rotated.   That's the current log - 
and so the important one.   This occurs shortly after the nightly rotation:

2012/10/19 00:02:07 ossec-agent(1117): ERROR: Error handling file 
'C:\WINDOWS\system32\dhcp\Audit\DhcpSrvLog-Fri.log' (date).
2012/10/19 00:02:07 ossec-agent(1103): ERROR: Unable to open file 
'C:\WINDOWS\system32\dhcp\Audit\DhcpSrvLog-Fri.log'.
2012/10/19 00:06:36 ossec-agent(1904): INFO: File not available, ignoring 
it: 'C:\WINDOWS\system32\dhcp\Audit\DhcpSrvLog-Fri.log'.

OSSEC seems to handle other log rotation gracefully, so not sure why this 
is problematic.    Given there's a bundled MS DHCP parser, it'd seem that 
someone must have gotten this successfully working...

TIA,
Brian

Reply via email to