This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Collect the logs DNS and DHCP

Posted on 12-20-2023 08:14 AM
muniraja1
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi All,

How to collect logs of the DNS and DHCP both services are running one server itself OS  is Windows.

 

Solved Solved
0 8 374
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
deeshu
Bronze 4
Bronze 4
In response to muniraja1
Reply posted on --/--/---- --:-- AM

your config seems incorrect. If you can share your config here I might catch the error.

View solution in original post

Jump to Solution
8 REPLIES 8

Posted on --/--/---- --:-- AM
deeshu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

DNS - https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-windows-dns

DHCP - https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-windows-dhcp

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
muniraja1
Bronze 1
Bronze 1
In response to deeshu
Reply posted on --/--/---- --:-- AM

We are getting the below error in nxlog 

ERROR apr_sockaddr_info failed for %WINOUTPUT_DESTINATION_ADDRESS%:11518; No such host is known

Jump to Solution

Posted on --/--/---- --:-- AM
deeshu
Bronze 4
Bronze 4
In response to muniraja1
Reply posted on --/--/---- --:-- AM

your config seems incorrect. If you can share your config here I might catch the error.

Jump to Solution

Posted on --/--/---- --:-- AM
muniraja1
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define WINDNS_OUTPUT_DESTINATION_ADDRESS  fwd IP
define WINDNS_OUTPUT_DESTINATION_PORT 11518
 
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data
 
include %CONFDIR%\\*.conf
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%
 
Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data
 
<Extension xml>
    Module      xm_xml
</Extension>
 
<Input winDNS_eventlog>
      Module  im_msvistalog
      <QueryXML>
          <QueryList>
              <Query Id="0">
               <Select Path="DNS Server">*</Select>
       <Select Path="Microsoft-Windows-DNSServer/Audit">*</Select>
              </Query>
          </QueryList>
      </QueryXML>
      ReadFromLast  TRUE
      SavePos  TRUE
  </Input>
 
<Output out_chronicle_windns>
    Module  om_tcp
    Host    %WINOUTPUT_DESTINATION_ADDRESS%
    Port    %WINDNS_OUTPUT_DESTINATION_PORT%
    Exec    $EventTime = integer($EventTime) / 1000;
    Exec    $EventReceivedTime = integer($EventReceivedTime) / 1000;
    Exec    to_json();
</Output>
 
<Route r3>
    Path winDNS_eventlog => out_chronicle_windns
</Route>
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
deeshu
Bronze 4
Bronze 4
In response to muniraja1
Reply posted on --/--/---- --:-- AM

The variable name is not same as defined at the top and inside the output block. Inside the output block you should replace the existing to %WINDNS_OUTPUT_DESTINATION_ADDRESS%

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
muniraja1
Bronze 1
Bronze 1
In response to deeshu
Reply posted on --/--/---- --:-- AM

thanks for the replay.

After replacement still, I am facing the same issue.

<Output out_chronicle_windns>
Module om_tcp
Host %WINDNS_OUTPUT_DESTINATION_ADDRESS%
Port %WINDNS_OUTPUT_DESTINATION_PORT%
Exec to_json();
</Output>

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
deeshu
Bronze 4
Bronze 4
In response to muniraja1
Reply posted on --/--/---- --:-- AM

restart the nxlog service and post the latest error from nxlog log file

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
muniraja1
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi 

 

above mentioned config file we are using to get the DNS logs. could you please help us. 

Jump to Solution