Wazuh agent cannot open Windows DHCP log

[Bjarne Bach Jensen]

I want to use the Wazuh agent to ship Windows DHCP logs to Elastic, but I cannot figure out why this is not working. 

I get til error in the ossec.log on the client side:

2020/03/23 06:55:48 ossec-agent[8380] logcollector.c:139 at LogCollectorStart(): INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2012 R2 Standard [Ver: 6.3.9600] - Wazuh v3.11.1).

2020/03/23 06:55:48 ossec-agent[8380] logcollector.c:154 at LogCollectorStart(): DEBUG: Entering LogCollectorStart().

2020/03/23 06:55:48 ossec-agent[8380] logcollector.c:794 at update_fname(): INFO: (1952): Monitoring variable log file: 'C:\Windows\System32\dhcp\DhcpSrvLog-Mon.log'.

2020/03/23 06:55:48 ossec-agent[8380] logcollector.c:856 at handle_file(): ERROR: (1103): Could not open file 'C:\Windows\System32\dhcp\DhcpSrvLog-Mon.log' due to [(3)-(The system cannot find the path specified.)].

2020/03/23 06:55:48 ossec-agent[8380] logcollector.c:918 at handle_file(): DEBUG: (1962): Unable to open file 'C:\Windows\System32\dhcp\DhcpSrvLog-Mon.log'. Remaining attempts: 7

2020/03/23 06:55:48 ossec-agent[8380] logcollector.c:1077 at set_read(): DEBUG: Socket target for 'C:\Windows\System32\dhcp\DhcpSrvLog-Mon.log' -> agent

2020/03/23 06:55:48 ossec-agent[8380] logcollector.c:267 at LogCollectorStart(): INFO: (1950): Analyzing file: 'C:\Windows\System32\dhcp\DhcpSrvLog-Mon.log'.

It keeps trying and the "Remaing attempts" counting down. 

In ossec.conf I have this:

  <!-- Log analysis -->

  <localfile>

 <!--    <location>c:\temp\wazuh3\DhcpSrvLog-%a.log</location>   -->

    <location>%SystemRoot%\System32\dhcp\DhcpSrvLog-%a.log</location>

    <log_format>syslog</log_format>

  </localfile>

If I copy the logfile to c:\temp\wazuh3 i works fine and change ossec.conf to that path, it works fine. 

If I copy the path "C:\Windows\System32\dhcp\DhcpSrvLog-Mon.log" from the ossec.log and paste it into file explorer on the client it will open the log file, so the path is correct. 

I also tried with a specific path in ossec.conf like: "C:\Windows\System32\dhcp\DhcpSrvLog-Mon.log" instead of "%SystemRoot%\System32\dhcp\DhcpSrvLog-%a.log", that also did not make any difference. 

I have also tried starting the Wazuh server with a domain admin user, but still it does not work. 

Any ideas?

[José Gómez]

Hello,

Have you double checked you have the needed permissions to access to C:\Windows\System32\dhcp?

You probably will need to move the dhcp log out of the default system directory.

Regards,

Jose.

[Bjarne Bach Jensen]

I am pretty sure permissions are okay. I also tried to run the Wazuh service with a domain admin account. 

Could it be related to this problem:

https://github.com/wazuh/wazuh/issues/2877

It looks like there in this case is a specific problem with reading from the System32 folder. 

[José Gómez]

Seems to be a issue when a 64 bits system try to run a 32 bits application.

Can you try to use sysnative alias? I would say if you use %SystemRoot%\SysWOW64\dhcp\DhcpSrvLog-%a.log it should works

[Bjarne Bach Jensen]

It now works by using this path:

<location>%SystemRoot%\Sysnative\dhcp\DhcpSrvLog-%a.log</location>

Thank you a thousand times :-)

[Lee Seeman]

Thank you as well, this was helpful. I'm hoping the syslog format will parse and ingest cleanly.