mshingote · March 15, 2019 14:27
diff --git a/nxlog.conf b/nxlog.conf
 define ROOT C:\\Program Files (x86)\\nxlog

 Moduledir %ROOT%\modules
 CacheDir %ROOT%\data
 Pidfile %ROOT%\data\nxlog.pid
 SpoolDir %ROOT%\data
 LogFile %ROOT%\data\nxlog.log

 <Extension _syslog>
    Module      xm_syslog
 </Extension>

 <Input in>
    Module      im_msvistalog
 # For windows 2003 and earlier use the following:
 #   Module      im_mseventlog
 </Input>

 <Input DHCP_IN>
    Module      im_file
    File        "C:\\Windows\\system32\\dhcp\\DhcpSrvLog-*.log"
    SavePos     TRUE
    InputType   LineBased
    Exec $Message = $raw_event;
 	
 	#Exec if $raw_event =~ /^30/ \
 	#	log_info($raw_event);   \
 	#	$IDdef = "DNSUpdateRequest";
 		
    Exec if $raw_event =~ /^[0-9][0-9],/						\
 		{														\
 			ParseDHCP->parse_csv();	 							\
 			if $raw_event =~ /^00/ $IDdef = "The log was started.";	\
 			if $raw_event =~ /^01/ $IDdef = "The log was stopped.";	\
 			if $raw_event =~ /^02/ $IDdef = "The log was temporarily paused due to low disk space.";	\
 			if $raw_event =~ /^10/ $IDdef = "A new IP address was leased to a client.";	\
 			if $raw_event =~ /^11/ $IDdef = "A lease was renewed by a client.";	\
 			if $raw_event =~ /^12/ $IDdef = "A lease was released by a client.";	\
 			if $raw_event =~ /^13/ $IDdef = "An IP address was found to be in use on the network.";	\
 			if $raw_event =~ /^14/ $IDdef = "A lease request could not be satisfied because the scope's address pool was exhausted.";	\
 			if $raw_event =~ /^15/ $IDdef = "A lease was denied.";	\
 			if $raw_event =~ /^16/ $IDdef = "A lease was deleted.";	\
 			if $raw_event =~ /^17/ $IDdef = "A lease was expired and DNS records for an expired leases have not been deleted.";	\
 			if $raw_event =~ /^18/ $IDdef = "A lease was expired and DNS records were deleted.";	\
 			if $raw_event =~ /^20/ $IDdef = "A BOOTP address was leased to a client.";	\
 			if $raw_event =~ /^21/ $IDdef = "A dynamic BOOTP address was leased to a client.";	\
 			if $raw_event =~ /^22/ $IDdef = "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.";	\
 			if $raw_event =~ /^23/ $IDdef = "A BOOTP IP address was deleted after checking to see it was not in use.";	\
 			if $raw_event =~ /^24/ $IDdef = "IP address cleanup operation has began.";	\
 			if $raw_event =~ /^25/ $IDdef = "IP address cleanup statistics.";	\
 			if $raw_event =~ /^30/ $IDdef = "DNS update request to the named DNS server.";	\
 			if $raw_event =~ /^31/ $IDdef = "DNS update failed.";	\
 			if $raw_event =~ /^32/ $IDdef = "DNS update successful.";	\
 			if $raw_event =~ /^33/ $IDdef = "Packet dropped due to NAP policy.";	\
 			if $raw_event =~ /^34/ $IDdef = "DNS update request failed.as the DNS update request queue limit exceeded.";	\
 			if $raw_event =~ /^35/ $IDdef = "DNS update request failed.";	\
 			if $raw_event =~ /^36/ $IDdef = "Packet dropped because the server is in failover standby role or the hash of the client ID does not match.";	\
 			if $raw_event =~ /^[5-9][0-9]/ $IDdef = "Codes above 50 are used for Rogue Server Detection information.";	\
 			if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,0,/ $QResultDef = "NoQuarantine";	\
 			if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,1,/ $QResultDef = "Quarantine";	\
 			if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,2,/ $QResultDef = "Drop Packet";	\
 			if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,3,/ $QResultDef = "Probation";	\
 			if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,6,/ $QResultDef = "No Quarantine Information ProbationTime:Year-Month-Day Hour:Minute:Second:MilliSecond.";	\
 			$host			=	hostname_fqdn();				\
 			$EventTime 		= 	parsedate($Date + " " + $Time);	\
 			$SourceName 	= 	"DHCPEvents";					\
            $Message 		= 	to_json();						\
 		}														\
 		else													\
            drop();

 </Input>


 <Output out>
 Module      om_tcp
    Host        10.11.15.146
    Port        50007
    Exec        to_syslog_bsd();
 </Output>

 <Output outSyslogSrv>
    Module      om_tcp
    Host        10.11.15.146
    Port        50007
    Exec        to_syslog_bsd();
 </Output>

 <Route DHCP>
 	Path DHCP_IN => outSyslogSrv
 </Route>

 <Route win_1>
 	Path        in => dedupe => out
 </Route>
	define ROOT C:\\Program Files (x86)\\nxlog

	Moduledir %ROOT%\modules
	CacheDir %ROOT%\data
	Pidfile %ROOT%\data\nxlog.pid
	SpoolDir %ROOT%\data
	LogFile %ROOT%\data\nxlog.log

	<Extension _syslog>
	Module xm_syslog
	</Extension>

	<Input in>
	Module im_msvistalog
	# For windows 2003 and earlier use the following:
	# Module im_mseventlog
	</Input>

	<Input DHCP_IN>
	Module im_file
	File "C:\\Windows\\system32\\dhcp\\DhcpSrvLog-*.log"
	SavePos TRUE
	InputType LineBased
	Exec $Message = $raw_event;

	#Exec if $raw_event =~ /^30/ \
	# log_info($raw_event); \
	# $IDdef = "DNSUpdateRequest";

	Exec if $raw_event =~ /^[0-9][0-9],/ \
	{ \
	ParseDHCP->parse_csv(); \
	if $raw_event =~ /^00/ $IDdef = "The log was started."; \
	if $raw_event =~ /^01/ $IDdef = "The log was stopped."; \
	if $raw_event =~ /^02/ $IDdef = "The log was temporarily paused due to low disk space."; \
	if $raw_event =~ /^10/ $IDdef = "A new IP address was leased to a client."; \
	if $raw_event =~ /^11/ $IDdef = "A lease was renewed by a client."; \
	if $raw_event =~ /^12/ $IDdef = "A lease was released by a client."; \
	if $raw_event =~ /^13/ $IDdef = "An IP address was found to be in use on the network."; \
	if $raw_event =~ /^14/ $IDdef = "A lease request could not be satisfied because the scope's address pool was exhausted."; \
	if $raw_event =~ /^15/ $IDdef = "A lease was denied."; \
	if $raw_event =~ /^16/ $IDdef = "A lease was deleted."; \
	if $raw_event =~ /^17/ $IDdef = "A lease was expired and DNS records for an expired leases have not been deleted."; \
	if $raw_event =~ /^18/ $IDdef = "A lease was expired and DNS records were deleted."; \
	if $raw_event =~ /^20/ $IDdef = "A BOOTP address was leased to a client."; \
	if $raw_event =~ /^21/ $IDdef = "A dynamic BOOTP address was leased to a client."; \
	if $raw_event =~ /^22/ $IDdef = "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted."; \
	if $raw_event =~ /^23/ $IDdef = "A BOOTP IP address was deleted after checking to see it was not in use."; \
	if $raw_event =~ /^24/ $IDdef = "IP address cleanup operation has began."; \
	if $raw_event =~ /^25/ $IDdef = "IP address cleanup statistics."; \
	if $raw_event =~ /^30/ $IDdef = "DNS update request to the named DNS server."; \
	if $raw_event =~ /^31/ $IDdef = "DNS update failed."; \
	if $raw_event =~ /^32/ $IDdef = "DNS update successful."; \
	if $raw_event =~ /^33/ $IDdef = "Packet dropped due to NAP policy."; \
	if $raw_event =~ /^34/ $IDdef = "DNS update request failed.as the DNS update request queue limit exceeded."; \
	if $raw_event =~ /^35/ $IDdef = "DNS update request failed."; \
	if $raw_event =~ /^36/ $IDdef = "Packet dropped because the server is in failover standby role or the hash of the client ID does not match."; \
	if $raw_event =~ /^[5-9][0-9]/ $IDdef = "Codes above 50 are used for Rogue Server Detection information."; \
	if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,0,/ $QResultDef = "NoQuarantine"; \
	if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,1,/ $QResultDef = "Quarantine"; \
	if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,2,/ $QResultDef = "Drop Packet"; \
	if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,3,/ $QResultDef = "Probation"; \
	if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,6,/ $QResultDef = "No Quarantine Information ProbationTime:Year-Month-Day Hour:Minute:Second:MilliSecond."; \
	$host = hostname_fqdn(); \
	$EventTime = parsedate($Date + " " + $Time); \
	$SourceName = "DHCPEvents"; \
	$Message = to_json(); \
	} \
	else \
	drop();

	</Input>


	<Output out>
	Module om_tcp
	Host 10.11.15.146
	Port 50007
	Exec to_syslog_bsd();
	</Output>

	<Output outSyslogSrv>
	Module om_tcp
	Host 10.11.15.146
	Port 50007
	Exec to_syslog_bsd();
	</Output>

	<Route DHCP>
	Path DHCP_IN => outSyslogSrv
	</Route>

	<Route win_1>
	Path in => dedupe => out
	</Route>