What we do is move the DHCP files out to a different directory like C:\DHCP and it works fine on 2008 and 2012.
On Tuesday, October 23, 2012 3:34:47 PM UTC-4, Brian Sims wrote: > > I see there is an MS DHCP parser, but I'm not having much success in > getting it to work in a stable fashion. The log file names are > DhcpSrvLog-Sun.log, DhcpSrvLog-Mon.log, etc and so rotate on a weekly basis > - the naming convention is not configurable. > > The first agent config sample my google-fu turned up the following: > > <ossec_config> > <localfile> > <location>%windir%\system32\dhcp\*.log</location> > <log_format>syslog</log_format> > </localfile> > </ossec_config> > > That did not work as MS logs can't be wildcarded. I then added the > individual log files: > > <localfile> > <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Sun.log</location> > <log_format>syslog</log_format> > </localfile> > <localfile> > <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Mon.log</location> > <log_format>syslog</log_format> > </localfile> > <localfile> > <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Tue.log</location> > <log_format>syslog</log_format> > </localfile> > <localfile> > <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Wed.log</location> > <log_format>syslog</log_format> > </localfile> > <localfile> > <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Thu.log</location> > <log_format>syslog</log_format> > </localfile> > <localfile> > <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Fri.log</location> > <log_format>syslog</log_format> > </localfile> > <localfile> > <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Sat.log</location> > <log_format>syslog</log_format> > </localfile> > > This seemed to work at first... but it doesn't seem to handle the rotation > and dies when the next log day up is rotated. That's the current log - > and so the important one. This occurs shortly after the nightly rotation: > > 2012/10/19 00:02:07 ossec-agent(1117): ERROR: Error handling file > 'C:\WINDOWS\system32\dhcp\Audit\DhcpSrvLog-Fri.log' (date). > 2012/10/19 00:02:07 ossec-agent(1103): ERROR: Unable to open file > 'C:\WINDOWS\system32\dhcp\Audit\DhcpSrvLog-Fri.log'. > 2012/10/19 00:06:36 ossec-agent(1904): INFO: File not available, ignoring > it: 'C:\WINDOWS\system32\dhcp\Audit\DhcpSrvLog-Fri.log'. > > OSSEC seems to handle other log rotation gracefully, so not sure why this > is problematic. Given there's a bundled MS DHCP parser, it'd seem that > someone must have gotten this successfully working... > > TIA, > Brian > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.