Okay, in order: 1. I'm using the OVA VM image from Graylog, so most of the configuration is already done. All I did was add a Connector with one nxlog input and one nxlog output, and then the GELF UDP input that the WinDHCP json created.
The WinDHCP input is configured like this: WinDHCPLogs-gelf GELF UDP RUNNING On node 771f3128 / graylog <http://172.30.39.100/system/nodes/771f3128-a581-433b-a561-613c6bb8c5bf> - bind_address: 0.0.0.0 - decompress_size_limit: 8388608 - override_source: *<empty>* - port: 5441 - recv_buffer_size: 1048576 2. The nxlog.conf file is: define ROOT C:\Program Files (x86)\nxlog <Extension gelf> Module xm_gelf </Extension> Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO <Extension logrotate> Module xm_fileop <Schedule> When @daily Exec file_cycle('%ROOT%\data\nxlog.log', 7); </Schedule> </Extension> <Input 588bc33f682c990374bab049> Module im_file File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log' PollInterval 1 SavePos True ReadFromLast True Recursive False RenameCheck True Exec $FileName = file_name(); # Send file name with each message </Input> <Output 588bc2db682c990374baafe0> Module om_udp Host re.da.ct.ed Port 5441 OutputType GELF Exec $short_message = $raw_event; # Avoids truncation of the short_message field. Exec $gl2_source_collector = '9960a8cd-7abe-4021-939f-89b22909aa32'; Exec $Hostname = hostname_fqdn(); </Output> <Route route-0> Path 588bc33f682c990374bab049 => 588bc2db682c990374baafe0 </Route> 3. collector_sidecar.yml is this: server_url: http://re.da.ct.ed:9000/api update_interval: 10 tls_skip_verify: false send_status: true list_log_files: node_id: NS1 collector_id: file:C:\Program Files\graylog\collector-sidecar\collector-id cache_path: C:\Program Files\graylog\collector-sidecar\cache log_path: C:\Program Files\graylog\collector-sidecar\logs log_rotation_time: 86400 log_max_age: 604800 tags: dhcp backends: - name: nxlog enabled: true binary_path: C:\Program Files (x86)\nxlog\nxlog.exe configuration_path: C:\Program Files\graylog\collector-sidecar\generated\nxlog.conf - name: winlogbeat enabled: false binary_path: C:\Program Files\graylog\collector-sidecar\winlogbeat.exe configuration_path: C:\Program Files\graylog\collector-sidecar\generated\winlogbeat.yml - name: filebeat enabled: false binary_path: C:\Program Files\graylog\collector-sidecar\filebeat.exe configuration_path: C:\Program Files\graylog\collector-sidecar\generated\filebeat.yml On Friday, February 3, 2017 at 3:21:21 AM UTC-6, Jochen Schalanda wrote: > > Hi Rob, > > How did you configure Graylog? Which inputs did you create and how did you > configure them? > How did you configure the Graylog Collector Sidecar and what's the > generated nxlog configuration? > > Cheers, > Jochen > > On Thursday, 2 February 2017 23:30:20 UTC+1, Rob Repp wrote: >> >> I set up a Graylog 2.1.2 server by deploying the downloadable OVA from >> graylog.org. I'm trying to monitor a Windows 2008 R2 server with the >> DHCP role installed. The DHCP server deposits activity data into log files >> at C:\Windows\System32\dhcp\DhcpSrvLog-*.log. I have collector-sidecar and >> nxlog installed on the Windows machine, and configured to send the log data >> back to a collector input on the Graylog server. >> >> My configuration is based on the WindowsDHCP content pack available in >> the Graylog marketplace. I imported the content pack json, >> configured collector-sidecar on Windows and the Graylog collector starting >> from the sample code at https://github.com/JulioQc/WinDHCP. >> Unfortunately, when I do "show messages" for the collector, there's nothing >> coming in. >> >> Has anyone had any success with this configuration? If not, is there a >> better method for monitoring Windows DHCP activity with Graylog? Thanks! >> > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/543d176c-bd2f-42fb-9fc9-66aa36a474d9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
