Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nxlog Configuration for Windows DHCP, IIS to send to logstash
## See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
## Config file structure
##
## nxLog Directory Locations
## Extensions
## IIS Log Parsing Modules (If IIS is detected)
## Input Modules
## Dedupe for Windows Logs
## Output Modules
## Route Modules
##
# Tested on Server 2008, Server 2008 R2
# Adjust Out modules based on your own logstash configurations
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
#Extensions----------------------------------------------------------------------------------
<Extension gelf>
Module xm_gelf
</Extension>
<Extension json>
Module xm_json
</Extension>
#Uncomment this and the file out in the DHCP OUT to check output.
#<Extension fileop>
# Module xm_fileop
#</Extension>
#Extensions----------------------------------------------------------------------------------
# Select the input folder where logs will be scanned
# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
# Uncomment Extension w3c for IIS logging
# Window Event Log
<Input in>
Module im_msvistalog
</Input>
#Fields obtained from DHCP Server logs
<Extension ParseDHCP>
Module xm_csv
Fields $ID ,$Date ,$Time ,$Description ,$IPAddress ,$ReportedHostname ,$MACAddress ,$UserName ,$TransactionID ,$QResult ,$Probationtime ,$CorrelationID ,$Dhcid ,$VendorClass(Hex) ,$VendorClass(ASCII) ,$UserClass(Hex) ,$UserClass(ASCII) ,$RelayAgentInformation ,$DnsRegError
Delimiter ','
</Extension>
#Used to parse IIS w3c logs, fields are based on logs and may differ based on the system using w3c formatted logs
<Extension w3c1>
Module xm_csv
Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs(User-Agent), $sc-status, $sc-substatus, $sc-win32-status, $time-taken
Delimiter ' '
</Extension>
#DHCP logs assumed they are located in default location
#Use "sysnative" for DHCP Log location for 32-bit applications to access the SYSTEM32 directory on a 64 Bit System
#Use "system32" for DHCP Log location on 32 Bit systems
<Input DHCP_IN>
Module im_file
File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
SavePos TRUE
InputType LineBased
Exec $Message = $raw_event;
#Exec if $raw_event =~ /^30/ \
# log_info($raw_event); \
# $IDdef = "DNSUpdateRequest";
Exec if $raw_event =~ /^[0-9][0-9],/ \
{ \
ParseDHCP->parse_csv(); \
if $raw_event =~ /^00/ $IDdef = "The log was started."; \
if $raw_event =~ /^01/ $IDdef = "The log was stopped."; \
if $raw_event =~ /^02/ $IDdef = "The log was temporarily paused due to low disk space."; \
if $raw_event =~ /^10/ $IDdef = "A new IP address was leased to a client."; \
if $raw_event =~ /^11/ $IDdef = "A lease was renewed by a client."; \
if $raw_event =~ /^12/ $IDdef = "A lease was released by a client."; \
if $raw_event =~ /^13/ $IDdef = "An IP address was found to be in use on the network."; \
if $raw_event =~ /^14/ $IDdef = "A lease request could not be satisfied because the scope's address pool was exhausted."; \
if $raw_event =~ /^15/ $IDdef = "A lease was denied."; \
if $raw_event =~ /^16/ $IDdef = "A lease was deleted."; \
if $raw_event =~ /^17/ $IDdef = "A lease was expired and DNS records for an expired leases have not been deleted."; \
if $raw_event =~ /^18/ $IDdef = "A lease was expired and DNS records were deleted."; \
if $raw_event =~ /^20/ $IDdef = "A BOOTP address was leased to a client."; \
if $raw_event =~ /^21/ $IDdef = "A dynamic BOOTP address was leased to a client."; \
if $raw_event =~ /^22/ $IDdef = "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted."; \
if $raw_event =~ /^23/ $IDdef = "A BOOTP IP address was deleted after checking to see it was not in use."; \
if $raw_event =~ /^24/ $IDdef = "IP address cleanup operation has began."; \
if $raw_event =~ /^25/ $IDdef = "IP address cleanup statistics."; \
if $raw_event =~ /^30/ $IDdef = "DNS update request to the named DNS server."; \
if $raw_event =~ /^31/ $IDdef = "DNS update failed."; \
if $raw_event =~ /^32/ $IDdef = "DNS update successful."; \
if $raw_event =~ /^33/ $IDdef = "Packet dropped due to NAP policy."; \
if $raw_event =~ /^34/ $IDdef = "DNS update request failed.as the DNS update request queue limit exceeded."; \
if $raw_event =~ /^35/ $IDdef = "DNS update request failed."; \
if $raw_event =~ /^36/ $IDdef = "Packet dropped because the server is in failover standby role or the hash of the client ID does not match."; \
if $raw_event =~ /^[5-9][0-9]/ $IDdef = "Codes above 50 are used for Rogue Server Detection information."; \
if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,0,/ $QResultDef = "NoQuarantine"; \
if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,1,/ $QResultDef = "Quarantine"; \
if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,2,/ $QResultDef = "Drop Packet"; \
if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,3,/ $QResultDef = "Probation"; \
if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,6,/ $QResultDef = "No Quarantine Information ProbationTime:Year-Month-Day Hour:Minute:Second:MilliSecond."; \
$host = hostname_fqdn(); \
$EventTime = parsedate($Date + " " + $Time); \
$SourceName = "DHCPEvents"; \
$Message = to_json(); \
} \
else \
drop();
</Input>
<Input IIS_IN_1>
Module im_file
#File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\*.*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c1->parse_csv(); \
$host = hostname_fqdn(); \
$EventTime = parsedate($date + " " + $time + "Z"); \
$Time = ($Time +"Z"); \
$SourceName = "IIS"; \
$SiteName = "Default Web Site"; \
$Message = to_json(); \
}
</Input>
<Processor dedupe>
Module pm_norepeat
</Processor>
<Output out>
Module om_udp
OutputType GELF
Host gelflog.cshl.edu
Port 12201
</Output>
#Uncomment Exec file_write to view output. Usefull for debugging purposes
<Output DHCP_Out>
Module om_udp
OutputType GELF
Host gelflog.cshl.edu
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_json.log", $json);
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_message.log", $message);
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_raw.log", $raw_event);
Port 12201
</Output>
<Output IIS_Out_1>
Module om_udp
OutputType GELF
Host gelflog.cshl.edu
Port 12201
</Output>
<Route win_1>
Path in => dedupe => out
</Route>
<Route DHCP>
Path DHCP_IN => DHCP_OUT
</Route>
<Route 1>
Path IIS_In_1 => IIS_Out_1
</Route>
@mshingote
Copy link

mshingote commented Mar 15, 2019

Using this config file I am getting all logs on log server but these logs are not readable(might be encrypted)
How I can fix this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment