Hi All,
How to collect logs of the DNS and DHCP both services are running one server itself OS is Windows.
Page 1 / 1
DNS - https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-windows-dns
DHCP - https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-windows-dhcp
DNS - https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-windows-dns
DHCP - https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-windows-dhcp
We are getting the below error in nxlog
ERROR apr_sockaddr_info failed for %WINOUTPUT_DESTINATION_ADDRESS%:11518; No such host is known
We are getting the below error in nxlog
ERROR apr_sockaddr_info failed for %WINOUTPUT_DESTINATION_ADDRESS%:11518; No such host is known
your config seems incorrect. If you can share your config here I might catch the error.
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\\Program Files\\nxlog
define WINDNS_OUTPUT_DESTINATION_ADDRESS fwd IP
define WINDNS_OUTPUT_DESTINATION_PORT 11518
define CERTDIR %ROOT%\\cert
define CONFDIR %ROOT%\\conf\\nxlog.d
define LOGDIR %ROOT%\\data
include %CONFDIR%\\\\*.conf
define LOGFILE %LOGDIR%\\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\nxlog.pid
SpoolDir %ROOT%\\data
<Extension xml>
Module xm_xml
</Extension>
<Input winDNS_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="DNS Server">*</Select>
<Select Path="Microsoft-Windows-DNSServer/Audit">*</Select>
</Query>
</QueryList>
</QueryXML>
ReadFromLast TRUE
SavePos TRUE
</Input>
<Output out_chronicle_windns>
Module om_tcp
Host %WINOUTPUT_DESTINATION_ADDRESS%
Port %WINDNS_OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec to_json();
</Output>
<Route r3>
Path winDNS_eventlog => out_chronicle_windns
</Route>
Hi
above mentioned config file we are using to get the DNS logs. could you please help us.
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\\Program Files\\nxlog
define WINDNS_OUTPUT_DESTINATION_ADDRESS fwd IP
define WINDNS_OUTPUT_DESTINATION_PORT 11518
define CERTDIR %ROOT%\\cert
define CONFDIR %ROOT%\\conf\\nxlog.d
define LOGDIR %ROOT%\\data
include %CONFDIR%\\\\*.conf
define LOGFILE %LOGDIR%\\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\nxlog.pid
SpoolDir %ROOT%\\data
<Extension xml>
Module xm_xml
</Extension>
<Input winDNS_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="DNS Server">*</Select>
<Select Path="Microsoft-Windows-DNSServer/Audit">*</Select>
</Query>
</QueryList>
</QueryXML>
ReadFromLast TRUE
SavePos TRUE
</Input>
<Output out_chronicle_windns>
Module om_tcp
Host %WINOUTPUT_DESTINATION_ADDRESS%
Port %WINDNS_OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec to_json();
</Output>
<Route r3>
Path winDNS_eventlog => out_chronicle_windns
</Route>
The variable name is not same as defined at the top and inside the output block. Inside the output block you should replace the existing to %WINDNS_OUTPUT_DESTINATION_ADDRESS%
The variable name is not same as defined at the top and inside the output block. Inside the output block you should replace the existing to %WINDNS_OUTPUT_DESTINATION_ADDRESS%
thanks for the replay.
After replacement still, I am facing the same issue.
<Output out_chronicle_windns>
Module om_tcp
Host %WINDNS_OUTPUT_DESTINATION_ADDRESS%
Port %WINDNS_OUTPUT_DESTINATION_PORT%
Exec to_json();
</Output>
thanks for the replay.
After replacement still, I am facing the same issue.
<Output out_chronicle_windns>
Module om_tcp
Host %WINDNS_OUTPUT_DESTINATION_ADDRESS%
Port %WINDNS_OUTPUT_DESTINATION_PORT%
Exec to_json();
</Output>
restart the nxlog service and post the latest error from nxlog log file
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.