Note for you: On Windows 2008 32bit and 64bit DHCP or Windows 2003 64Bit DHCP, I had to move the DHCP folder and Audit Logs out to C:\DHCP for the Ossec Agent on the Windows server to start to open and read the files. I then made the change to the decoder you mentioned below and works great now. Hope this helps!! Any questions about it feel free to email me.
-Derek > Ok, the IPv6 logs decoder was working. However, the IPv4 decoder was not. > The prematch that you had in the IPv4 was looking for a 4 digit year field > instead of a 2 digit year. Looking back at the log samples I provided, they > DO have a 4 digit year. The only thing I can think happened is that I > imported the logs into excel to remove duplicate IDs and it must have > changed the date field from a 2 digit year to a 4 digit year... Oops! I made > the following change to the decoder and now it works. > > From > <prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,</prematch> > To > <prematch>^\d\d,\d+/\d+/\d+,\d+:\d+:\d+,</prematch> > OR > <prematch>^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+,</prematch> > > As far as the problem of the ossec-agent not being able to read the file, > I'm not sure why that is cropping up. The ossec-agent I had on my dhcp > server wasn't logging properly. I uninstalled the agent and reinstalled it > and now it's logging. I'll see what else I can come up with from the logs. > It does appear that after a week, the agent no longer detects changes to the > log files until either the DHCP service is restarted or the ossec agent is > restarted. Any idea why that would be happening? > > I've tried to tell the ossec-agent to look just at > %windir%\system32\dhcp\*.log and defined all of the following logs. In both > cases, it stops detecting changes to the logs after one week. > > I don't know how the ossec-agent determines there have been changes to a > log. Is it when it detects a change in the log file itself or does it look > at the timestamp or compare the file hash? > > The way that the MS DHCP server logs is as follows: It writes to a log file > per day in the following format. > > 05/24/2009 12:00 AM 160,246 DhcpSrvLog-Sat.log > 05/25/2009 12:00 AM 202,731 DhcpSrvLog-Sun.log > 05/26/2009 12:00 AM 159,728 DhcpSrvLog-Mon.log > 05/27/2009 12:00 AM 237,552 DhcpSrvLog-Tue.log > 05/28/2009 12:00 AM 218,171 DhcpSrvLog-Wed.log > 05/29/2009 12:00 AM 284,141 DhcpSrvLog-Thu.log > 05/29/2009 01:12 PM 145,251 DhcpSrvLog-Fri.log > > When the day is over and it's time to move to the next log file, it clears > the previous week's daily file and starts over. When it clears the log file, > the log always begins with the following; > > <file> > Microsoft DHCP Service Activity Log > <blank line> > <blank line> > Event ID Meaning > 00 The log was started. > 01 The log was stopped. > 02 The log was temporarily paused due to low disk space. > 10 A new IP address was leased to a client. > 11 A lease was renewed by a client. > 12 A lease was released by a client. > 13 An IP address was found to be in use on the network. > 14 A lease request could not be satisfied because the scope's > address pool was exhausted. > 15 A lease was denied. > 16 A lease was deleted. > 17 A lease was expired. > 20 A BOOTP address was leased to a client. > 21 A dynamic BOOTP address was leased to a client. > 22 A BOOTP request could not be satisfied because the scope's > address pool for BOOTP was exhausted. > 23 A BOOTP IP address was deleted after checking to see it was > not in use. > 24 IP address cleanup operation has began. > 25 IP address cleanup statistics. > 30 DNS update request to the named DNS server > 31 DNS update failed > 32 DNS update successful > 50+ Codes above 50 are used for Rogue Server Detection information. > <blank line> > ID,Date,Time,Description,IP Address,Host Name,MAC Address > <insert events here and below, one alert per line> > </file> > > Thanks again, > > phishphreek >
