Ingest Logs from Windows DHCP using Elasticsearch Filebeat

Extend Cortex® XDR™ visibility into logs from Windows DHCP using Elasticsearch Filebeat.
Ingesting logs and data requires a Cortex® XDR™ Pro per TB license.
To receive Windows DHCP logs, you must configure data collection from Windows DHCP via Elasticsearch Filebeat. This is configured by setting up a Windows DHCP Collector in Cortex XDR and installing and configuring an Elasticsearch* Filebeat agent on your Windows DHCP Server.
Certain settings in the Elasticsearch Filebeat default configuration file called
filebeat.yml
must be populated with values provided when you configure the Collection Integrations settings in Cortex XDR for the Windows DHCP Collector. After you set up collection integration, Cortex XDR begins receiving new logs and data from the source.
For more information on configuring the
filebeat.yml
file, see the Elastic Filebeat Documentation.
Windows DHCP logs are stored as CSV (comma-separated values) log files. The logs rotate by days (
DhcpSrvLog-<day>.log
), and each file contains two sections -
Event ID Meaning
and the events list.
As soon as Cortex XDR begins receiving logs, the app automatically creates a Windows DHCP XQL dataset (
windows_dhcp_raw
). Cortex XDR uses Windows DHCP logs to enrich your network logs with hostnames and MAC addresses that are searchable in XQL Search using the Windows DHCP XQL dataset.
Configure Cortex XDR to receive logs from Windows DHCP via Elasticsearch Filebeat.
  1. Configure the Windows DHCP Collector in Cortex XDR.
    1. Select
      Settings ( )
      Configurations
      Data Collection
      Collection Integrations
      .
    2. In the Windows DHCP Collector configuration, click the
      here
      link to begin a new configuration.
    3. Specify a descriptive
      Name
      for your log collection configuration.
    4. Save & Generate Token
      . The token is displayed in a blue box, which is blurred out in the image below.
      Click the copy icon next to the key and record it somewhere safe. You will need to provide this key when you set the
      api_key
      value in the
      Elasticsearch Output
      section in the
      filebeat.yml
      file as explained in
      Step #2
      . If you forget to record the key and close the window you will need to generate a new key and repeat this process.
    5. Select
      Done
      to close the window.
    6. In the
      Integrations
      page for the Windows DHCP Collector that you created, select
      Copy api url
      and record it somewhere safe. You will need to provide this URL when you set the
      hosts
      value in the
      Elasticsearch Output
      section in the
      filebeat.yml
      file as explained in
      Step #2
      .
  2. Configure an Elasticsearch Filebeat agent on your Windows DHCP Server.
    1. Navigate to the Elasticsearch Filebeat installation directory, and open the
      filebeat.yml
      file to configure data collection with Cortex XDR.
    2. Update the following sections and tags in the
      filebeat.yml
      file. The example code below details the specific sections to make these changes in the file.
      You may need to reformat the code syntax after cutting and pasting code to the
      .yml
      files. For more information, see Avoid YAML formatting problems.
      • Filebeat inputs
        —Define the paths to crawl and fetch. The code below provides an example of how to configure the
        Filebeat inputs
        section in the
        filebeat.yml
        file with these paths configured.
        # ============================== Filebeat inputs =============================== filebeat.inputs: # Each - is an input. Most options can be set at the input level, so # you can use different inputs for various configurations. # Below are the input specific configurations. - type: log # Change to true to enable this input configuration. enabled: true # Paths that should be crawled and fetched. Glob based paths. paths: - /var/log/*.log #- c:\programdata\elasticsearch\logs\* - c:\Windows\System32\dhcp\DhcpSrvLog*.log #- c:\temp\test.log
      • Elasticsearch Output
        —Set the
        hosts
        and
        api_key
        , where both of these values are obtained when you configured the Windows DHCP Collector in Cortex XDR as explained in
        Step #1
        . The code below provides an example of how to configure the
        Elasticsearch Output
        section in the
        filebeat.yml
        file and indicates which settings need to be obtained from Cortex XDR.
        # ---------------------------- Elasticsearch Output ---------------------------- output.elasticsearch: enabled: true # Array of hosts to connect to. hosts: ["OBTAIN THIS URL FROM CORTEX XDR"] # Protocol - either `http` (default) or `https`. protocol: "https" compression_level: 5 # Authentication credentials - either API key or username/password. api_key: "OBTAIN THIS KEY FROM CORTEX XDR"
      • Processors
        —Set the
        tokenizer
        and add a
        drop_event processor
        to drop all events that do not start with an event ID. The code below provides an example of how to configure the
        Processors
        section in the
        filebeat.yml
        file and indicates which settings need to be obtained from Cortex XDR.
        The
        tokenizer
        definition is dependent on the Windows server version that you are using as the log format differs.
        -For platforms earlier than Windows Server 2008, use
        "%{id},%{date},%{time},%{description},%{ipAddress},%{hostName},%{macAddress}"
        -For Windows Server 2008 and 2008 R2, use
        "%{id},%{date},%{time},%{description},%{ipAddress},%{hostName},%{macAddress},%{userName},%{transactionID},%{qResult},%{probationTime},%{correlationID}"
        For Windows Server 2012 and above, use
        "%{id},%{date},%{time},%{description},%{ipAddress},%{hostName},%{macAddress},%{userName},%{transactionID},%{qResult},%{probationTime},%{correlationID},%{dhcid},%{vendorClassHex},%{vendorClassASCII},%{userClassHex},%{userClassASCII},%{relayAgentInformation},%{dnsRegError}"
        # ================================= Processors ================================= processors: - add_host_metadata: when.not.contains.tags: forwarded - drop_event.when.not.regexp.message: "^[0-9]+,.*" - dissect: tokenizer: "%{id},%{date},%{time},%{description},%{ipAddress},%{hostName},%{macAddress},%{userName},%{transactionID},%{qResult},%{probationTime},%{correlationID},%{dhcid},%{vendorClassHex},%{vendorClassASCII},%{userClassHex},%{userClassASCII},%{relayAgentInformation},%{dnsRegError}" - drop_fields: fields: ["message"] - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~
      You can also configure Filebeat for DHCP using the embedded Microsoft module configuration file called
      input.yml
      , where the same
      Processors
      section as configured above is included. For more information, see the Filebeat Microsoft DHCP module documentation.
  3. Verify the status of the integration.
    Return to the
    Integrations
    page and view the statistics for the log collection configuration.
  4. After Cortex XDR begins receiving logs from Windows DHCP via Elasticsearch Filebeat, you can use the XQL Search to search for logs in the new dataset (
    windows_dhcp_raw
    ).
Elasticsearch is a trademark of Elasticsearch B.V., registered in the U.S. and in other countries.

Recommended For You