Error trying to collect DHCP logs from a windows server.
99 views
Skip to first unread message
ce...@castraconsulting.com
Sep 19, 2017, 2:46:46 PM9/19/17
to ossec-list
Hello Team,
I am trying to collect DHCP logs from a Windows server. I have done the following settings at the agent conf file,
<localfile><location>%windir%/System32/Dhcp/DhcpSrvLog-%a.log</location><log_format>syslog</log_format></localfile>
But in the agent logs, I can see the following related messages:
2017/09/19 13:06:13 ossec-logcollector(1952): INFO: Monitoring variable log file: 'C:\Windows/System32/dhcp/DhcpSrvLog-Tue.log'.2017/09/19 13:06:13 ossec-logcollector(1103): ERROR: Could not open file 'C:\Windows/System32/dhcp/DhcpSrvLog-Tue.log' due to [(9)-(Bad file descriptor)].2017/09/19 13:06:13 ossec-logcollector(1950): INFO: Analyzing file: 'C:\Windows/System32/dhcp/DhcpSrvLog-Tue.log'.
I am not sure what "Bad file descriptor" can mean, any ideas as to what is OSSEC specifically complaining about?
I have tried changing the "/" to "\", but that doesn't help, as I get the same message.
Thanks!!
alberto....@wazuh.com
Sep 21, 2017, 11:26:38 PM9/21/17
to ossec-list
Hello Cesar
This error sometimes happens when ossec try to read a file which has a "strange" format. If the file has a "UTF-8" format, for example, there is no problem. But some Microsoft logs are in "UCS2-LE BOM"
for example. Please verify this. If the file has a "strange" format consider to configure the software for changing the format or configure ossec for reading DHCP server logs directly from Event Log Viewer of Windows.
for example. Please verify this. If the file has a "strange" format consider to configure the software for changing the format or configure ossec for reading DHCP server logs directly from Event Log Viewer of Windows.
Hope it helps.
Best regards,
Alberto R
Reply all
Reply to author
Forward
0 new messages