docs.nxlog.co
Open in
urlscan Pro
159.89.90.74
Public Scan
URL:
https://docs.nxlog.co/integrate/windows-dhcp-server.html
Submission: On January 22 via manual from SG — Scanned from SG
Submission: On January 22 via manual from SG — Scanned from SG
Form analysis 2 forms found in the DOM
POST https://nxlog.co/nx-docs-feedback
<form class="small" action="https://nxlog.co/nx-docs-feedback" method="POST" id="feedback-form" data-hs-cf-bound="true">
<hr>
<div class="h4">Was this article helpful?</div>
<div class="alert alert-success d-none" role="alert" id="feedback-form-success-alert"> Thank you for your feedback! </div>
<div class="alert alert-danger d-none" role="alert" id="feedback-form-error-alert"> Something went wrong while submitting your feedback. Please try again later! </div>
<div class="alert alert-danger d-none" role="alert" id="feedback-form-login-alert">
<p>Please
<a href="https://nxlog.co/login?redirecturl=https://docs.nxlog.co/integrate/windows-dhcp-server.html&gaconnectorId=180fea82-f8bb-9feb-cd55-8bf0ad8147d4" data-original-href="https://nxlog.co/login?redirecturl=https://docs.nxlog.co/integrate/windows-dhcp-server.html">Login</a>
or
<a href="https://nxlog.co/sign-up?redirecturl=https://docs.nxlog.co/integrate/windows-dhcp-server.html&gaconnectorId=180fea82-f8bb-9feb-cd55-8bf0ad8147d4" data-original-href="https://nxlog.co/sign-up?redirecturl=https://docs.nxlog.co/integrate/windows-dhcp-server.html">Signup</a>
before submitting your feedback!</p>
</div>
<style>
.rating {
display: flex;
flex-direction: row-reverse;
justify-content: start;
align-items: center;
}
.rating>input {
display: none;
}
.rating>label {
position: relative;
width: 1.1em;
font-size: 2rem;
color: #FFD700;
cursor: pointer;
}
.rating>label::before {
content: "\2605";
position: absolute;
opacity: 0;
}
.rating>label:hover:before,
.rating>label:hover~label:before {
opacity: 1 !important;
}
.rating>input:checked~label:before {
opacity: 1;
}
.rating:hover>input:checked~label:before {
opacity: 0.4;
}
.feedback-form .h4 {
font-weight: 500;
}
</style>
<div class="rating">
<input type="radio" name="rating" value="5" id="5" data-gaconnector-tracked="true"><label for="5">☆</label>
<input type="radio" name="rating" value="4" id="4" data-gaconnector-tracked="true"><label for="4">☆</label>
<input type="radio" name="rating" value="3" id="3" data-gaconnector-tracked="true"><label for="3">☆</label>
<input type="radio" name="rating" value="2" id="2" data-gaconnector-tracked="true"><label for="2">☆</label>
<input type="radio" name="rating" value="1" id="1" data-gaconnector-tracked="true"><label for="1">☆</label>
<p class="mt-2">Rate this article: </p>
</div>
<p class="mt-0">Anything we can do to improve this article?</p>
<textarea rows="5" class="w-100 mt-1" name="suggestion" aria-label="Suggestion"></textarea>
<button type="submit" class="btn btn-primary" id="feedback-form-submit-btn">Submit</button>
<p class="mt-1"> Can we help further? <a href="https://nxlog.co/contact-us?gaconnectorId=180fea82-f8bb-9feb-cd55-8bf0ad8147d4" data-original-href="https://nxlog.co/contact-us">Contact an expert</a>
</p>
</form>Name: mc-embedded-subscribe-form — POST https://nxlog.us20.list-manage.com/subscribe/post?u=dab0e89b21e669470d8b6c1df&id=52b24d0394
<form action="https://nxlog.us20.list-manage.com/subscribe/post?u=dab0e89b21e669470d8b6c1df&id=52b24d0394" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="validate" target="_blank" novalidate="novalidate"
data-hs-cf-bound="true">
<div id="mc_embed_signup_scroll">
<div class="mc-field-group">
<div class="input-group mb-3">
<input type="email" value="" placeholder="Email" name="EMAIL" class="required email form-control" id="mce-EMAIL" aria-required="true" data-gaconnector-tracked="true">
<button class="btn btn-outline-secondary" type="submit" id="mc-embedded-subscribe" name="subscribe" aria-label="Subscribe"><i class="fas fa-chevron-right" aria-hidden="true"></i></button>
</div>
</div>
<div id="mce-responses" class="clear">
<div class="response text-danger" id="mce-error-response" style="display:none"></div>
<div class="response text-success" id="mce-success-response" style="display:none"></div>
</div>
<div style="position: absolute; left: -5000px;" aria-hidden="true"><input type="text" name="b_dab0e89b21e669470d8b6c1df_52b24d0394" tabindex="-1" value="" data-gaconnector-tracked="true"></div>
<div class="clear"></div>
</div>
</form>Text Content
* Products
LOG COLLECTOR
NXLog Enterprise Edition
Full feature multi-platform log collection
NXLog Community Edition
Open-source free log collector
ADD-ONS FOR NXLOG ENTERPRISE EDITION
NXLog Add-Ons
Integration with various software
AGENT MANAGER FOR NXLOG ENTERPRISE EDITION
NXLog Manager
Manage and monitor NXLog instances
NXLog Minder
Hyper-scalable, API-first agent management
DATABASE FOR NXLOG ENTERPRISE EDITION
Raijin Database Engine
The schemaless SQL database for storing events
more from nxlog
Professional Services
Compare NXLog EE and CE
NXLog Solution Packs
* Downloads
NXLog Enterprise Edition
Full feature multi-platform log collection
NXLog Manager
Manage and monitor NXLog instances
NXLog Community Edition
Open-source free log collector
* Solutions
Integrations
With SIEM, Devices, SaaS...
Specfic OS support
AIX, Linux, FreeBSD
SCADA/ICS
Energy, Oil & Gas, Transport...
Windows Event log
Collect locally or remotely, ..
DNS Logging
Enterprise-grade DNS log...
Log Collection Modes
Agent-based, Agentless or Cloud
Agent Management
Agents management and monitoring
FIM
File Integrity Monitoring
macOS Logging
ULS events, Apple System Logs ...
By Industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing
* Partners
Find a Reseller
Look for our resellers worldwide
Technology Ecosystem
See all our partners and integrations
Partner Program
Join our community of partners
* Resources
Documentation
Products guides and integrations
Blog
Tutorials, updates and releases
White papers
Datasheets, infographics and more
Videos
Trainings and tutorial on specific topics
Webinars
Community events and webinars
Case Studies
Customer success stories
Community Forum →
* Support
GETTING STARTED GUIDE
Set up accounts to raise support requests
SUPPORT SERVICE DESK
Access our support ticketing system
* Why Nxlog
About Us
Our journey, team and mission
Customers
Testimonials and case studies
Careers
We are hiring!
Contact Us →
Products
LOG COLLECTOR
NXLog Enterprise Edition
Full feature multi-platform log collection
NXLog Community Edition
Open-source free log collector
ADD-ONS FOR NXLOG ENTERPRISE EDITION
NXLog Add-Ons
Integration with various software
AGENT MANAGER FOR NXLOG ENTERPRISE EDITION
NXLog Manager
Manage and monitor NXLog instances
NXLog Minder
Hyper-scalable, API-first agent management
DATABASE FOR NXLOG ENTERPRISE EDITION
Raijin Database Engine
The schemaless SQL database for storing events
more from nxlog
Professional Services
Compare NXLog EE and CE
NXLog Solution Packs
Downloads
NXLog Enterprise Edition
Full feature multi-platform log collection
NXLog Manager
Manage and monitor NXLog instances
NXLog Community Edition
Open-source free log collector
Solutions
Integrations
With SIEM, Devices, SaaS...
Specfic OS support
AIX, Linux, FreeBSD
SCADA/ICS
Energy, Oil & Gas, Transport...
Windows Event log
Collect locally or remotely, ..
DNS Logging
Enterprise-grade DNS log...
Log Collection Modes
Agent-based, Agentless or Cloud
Agent Management
Agents management and monitoring
FIM
File Integrity Monitoring
macOS Logging
ULS events, Apple System Logs ...
By Industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing
Partners
Find a Reseller
Look for our resellers worldwide
Technology Ecosystem
See all our partners and integrations
Partner Program
Join our community of partners
Resources
Documentation
Products guides and integrations
Blog
Tutorials, updates and releases
White papers
Datasheets, infographics and more
Videos
Trainings and tutorial on specific topics
Webinars
Community events and webinars
Case Studies
Customer success stories
Community Forum →
Why Nxlog
About Us
Our journey, team and mission
Customers
Testimonials and case studies
Careers
We are hiring!
Contact Us →
Request trial
*
* Loading...
Log InSign Up
Request Trial
Log In
NXLOG DOCS
* * NXLog User Guide
* Introduction
* About this Guide
* About NXLog
* Get started with NXLog
* System architecture
* Event records and fields
* Modules and routes
* Buffering and flow control
* Batch processing
* Log processing modes
* Available modules
* Deployment
* Supported platforms
* Product life cycle
* System requirements
* NXLog digital signature verification
* Red Hat Enterprise Linux
* Debian & Ubuntu
* SUSE Linux Enterprise Server
* FreeBSD
* OpenBSD
* Microsoft Windows
* Microsoft Nano Server
* Apple macOS
* Docker
* IBM AIX
* Oracle Solaris
* Hardening NXLog
* Relocating NXLog
* Monitoring and recovery
* Controlling resource usage
* Centralized deployment and management of NXLog agents
* Configuration
* Configuration overview
* NXLog language
* Reading and receiving logs
* Processing logs
* Parsing various log formats
* Alerting
* Using buffers
* Character set conversion
* Detecting an inactive agent or log source
* Event correlation
* Extracting data
* Filtering logs
* Format conversion
* Log rotation and retention
* Log classification
* Log prioritization
* Parsing multi-line logs
* Rate limiting and traffic shaping of logs
* Rewriting and modifying logs
* Log normalization
* Data masking
* Timestamps
* Forwarding and Storing Logs
* Centralized Log Collection
* NXLog failover mode
* High Availability (HA)
* Encrypted log transfer
* Reducing bandwidth and data size
* Reliable message delivery
* Compression and Encryption
* Optimizing the configuration
* OS Support
* IBM AIX
* FreeBSD
* OpenBSD
* GNU/Linux
* Apple macOS
* Oracle Solaris
* Microsoft Windows
* Integration
* ABB MicroSCADA Pro SYS600
* Amazon Web Services (AWS)
* Apache HTTP Server
* Apache NiFi
* Apache Tomcat
* APC Automatic Transfer Switch
* ArcSight Common Event Format (CEF)
* AVEVA System Platform
* Box
* Brocade switches
* Browser history logs
* Check Point
* Cisco ACS
* Cisco ASA
* Cisco FireSIGHT
* Cisco IPS
* Cloud Instance Metadata
* Common Event Expression (CEE)
* Content Management Systems
* Dell EqualLogic
* Dell iDRAC
* Dell PowerVault MD series
* Devo
* DHCP logs
* ISC DHCP server (DHCPd)
* ISC DHCP client (dhclient)
* Windows DHCP server
* Windows DHCP client
* DNS Monitoring
* DNS logging and monitoring
* BIND 9
* Windows DNS Server
* Passive DNS monitoring
* Docker
* Elastic Common Schema (ECS)
* Elastic Cloud
* Elasticsearch and Kibana
* F5 BIG-IP
* File Integrity Monitoring
* FreeRADIUS
* General Electric CIMPLICITY
* Google Chronicle
* Graylog
* HP ProCurve
* IBM QRadar SIEM
* Industrial Control System protocols
* Kubernetes
* Linux Audit system
* Linux system logs
* Log Event Extended Format (LEEF)
* LogPoint
* Logstash
* McAfee Enterprise Security Manager (ESM)
* Micro Focus ArcSight Logger
* Microsoft Active Directory Domain Controller
* Microsoft Azure Active Directory and Office 365
* Microsoft Azure Event Hubs
* Microsoft Defender for Identity
* Microsoft Exchange
* Microsoft IIS
* Microsoft Routing and Remote Access Service (RRAS)
* Microsoft Sentinel
* Microsoft SharePoint
* Microsoft SQL Server
* Microsoft System Center Configuration Manager
* Microsoft System Center Endpoint Protection
* Microsoft System Center Operations Manager
* MongoDB
* Nagios Log Server
* Nessus Vulnerability Scanner
* NetApp
* .NET application logs
* Nginx
* Okta
* Oracle Database
* Osquery
* Postfix
* Promise
* Raijin Database Engine
* Rapid7 InsightIDR SIEM
* RSA NetWitness
* SafeNet KeySecure
* Salesforce
* SAP
* Schneider Electric Citect SCADA
* Schneider Electric EcoStruxure Process Expert
* Siemens SICAM SCC
* Siemens SICAM PAS/PQS
* Siemens SIMATIC PCS 7
* Snare
* Snort
* Solarwinds Loggly
* Splunk
* Sumo Logic
* Symantec Endpoint Protection
* Synology DiskStation
* Syslog
* Sysmon
* Trellix ePolicy Orchestrator
* Ubiquiti UniFi
* VMware vCenter
* Windows AppLocker
* Windows Command Line Auditing
* Windows Event Forwarding
* Windows Event Log
* Windows Firewall
* Windows Group Policy
* Windows Management Instrumentation (WMI)
* Windows PowerShell
* Using PowerShell scripts
* Logging PowerShell activity
* Windows Resource Checker
* Windows Security audit
* Windows Server Failover Clustering
* Windows Task Scheduler
* Windows Time service
* Microsoft Windows Update
* Windows USB auditing
* Yokogawa FAST/TOOLS
* Zeek (formerly Bro) Network Security Monitor
* Troubleshooting
* Internal logs
* Common issues
* Debugging NXLog
* Generating test data
* NXLog EE Reference Manual
* Man Pages
* nxlog(8)
* nxlog-processor(8)
* Configuration
* Language
* Input Modules
* Process Accounting (im_acct)
* AIX Auditing (im_aixaudit)
* Amazon S3 (im_amazons3)
* Microsoft Azure (im_azure)
* Batched compression (im_batchcompress)
* Basic Security Module Auditing (im_bsm)
* Check Point OPSEC LEA (im_checkpoint)
* DBI (im_dbi)
* Event Tracing for Windows (im_etw)
* External programs (im_exec)
* File (im_file)
* File Integrity Monitoring (im_fim)
* Go (im_go)
* Google Cloud Logging (im_googlelogging)
* Google Cloud Pub/Sub (im_googlepubsub)
* HTTP(s) (im_http)
* Internal (im_internal)
* Java (im_java)
* Kafka (im_kafka)
* Kernel (im_kernel)
* Linux Audit System (im_linuxaudit)
* macOS Endpoint Security (im_maces)
* macOS ULS (im_maculs)
* Mark (im_mark)
* Microsoft 365 (im_ms365)
* Event Log for Windows XP/2000/2003 (im_mseventlog)
* Event Log for Windows 2008/Vista/later (im_msvistalog)
* Null (im_null)
* ODBC (im_odbc)
* Packet capture (im_pcap)
* Perl (im_perl)
* Named Pipes (im_pipe)
* Python (im_python)
* Redis (im_redis)
* Windows Registry Monitoring (im_regmon)
* Ruby (im_ruby)
* Salesforce (im_salesforce)
* TLS/SSL (im_ssl)
* Systemd (im_systemd)
* TCP (im_tcp)
* Test Generator (im_testgen)
* UDP (im_udp)
* Unix Domain Sockets (im_uds)
* Windows Performance Counters (im_winperfcount)
* Windows Event Collector (im_wseventing)
* ZeroMQ (im_zmq)
* Output Modules
* Amazon S3 (om_amazons3)
* Microsoft Azure Sentinel (om_azure)
* Microsoft Azure Log Ingestion (om_azuremonitor)
* Batched Compression (om_batchcompress)
* Blocker (om_blocker)
* DBI (om_dbi)
* Elasticsearch (om_elasticsearch)
* Program (om_exec)
* Files (om_file)
* Go (om_go)
* Google Chronicle (om_chronicle)
* Google Cloud Logging (om_googlelogging)
* Google Cloud Pub/Sub (om_googlepubsub)
* HTTP(s) (om_http)
* Java (om_java)
* Kafka (om_kafka)
* Null (om_null)
* ODBC (om_odbc)
* Perl (om_perl)
* Named Pipes (om_pipe)
* Python (om_python)
* Raijin (om_raijin)
* Redis (om_redis)
* Ruby (om_ruby)
* TLS/SSL (om_ssl)
* TCP (om_tcp)
* UDP (om_udp)
* UDP with IP Spoofing (om_udpspoof)
* Unix Domain Sockets (om_uds)
* WebHDFS (om_webhdfs)
* ZeroMQ (om_zmq)
* Extension Modules
* Remote Management (xm_admin)
* AIX Auditing (xm_aixaudit)
* Apple System Logs (xm_asl)
* Basic Security Module Auditing (xm_bsm)
* Common Event Format (xm_cef)
* Character Set Conversion (xm_charconv)
* Delimiter-Separated Values (xm_csv)
* Encryption (xm_crypto)
* External Programs (xm_exec)
* File Lists (xm_filelist)
* File Operations (xm_fileop)
* GELF (xm_gelf)
* Go (xm_go)
* Grok (xm_grok)
* Java (xm_java)
* JSON (xm_json)
* Key-Value Pairs (xm_kvp)
* LEEF (xm_leef)
* Microsoft DNS Server (xm_msdns)
* Multiline Parser (xm_multiline)
* NetFlow (xm_netflow)
* Microsoft Network Policy Server (xm_nps)
* Pattern Matcher (xm_pattern)
* Perl (xm_perl)
* Python (xm_python)
* Resolver (xm_resolver)
* Rewrite (xm_rewrite)
* Ruby (xm_ruby)
* SAP (xm_sap)
* SNMP Traps (xm_snmp)
* Remote Management (xm_soapadmin)
* Syslog (xm_syslog)
* W3C (xm_w3c)
* WTMP (xm_wtmp)
* XML (xm_xml)
* Compression (xm_zlib)
* Processor Modules
* Blocker (pm_blocker)
* Buffer (pm_buffer)
* Event Correlator (pm_evcorr)
* HMAC Message Integrity (pm_hmac)
* HMAC Message Integrity Checker (pm_hmac_check)
* De-Duplicator (pm_norepeat)
* Null (pm_null)
* Pattern Matcher (pm_pattern)
* Release notes
* Changelog
* NXLog Community Edition Reference Manual
* Man Pages
* nxlog(8)
* nxlog-processor(8)
* Configuration
* Language
* Extension Modules
* Character Set Conversion (xm_charconv)
* Delimiter-Separated Values (xm_csv)
* External Programs (xm_exec)
* File Operations (xm_fileop)
* GELF (xm_gelf)
* Grok (xm_grok)
* JSON (xm_json)
* Key-Value Pairs (xm_kvp)
* Multi-Line Parser (xm_multiline)
* Perl (xm_perl)
* Python (xm_python)
* Syslog (xm_syslog)
* WTMP (xm_wtmp)
* XML (xm_xml)
* Input Modules
* Fields
* DBI (im_dbi)
* External Programs (im_exec)
* Files (im_file)
* Internal (im_internal)
* Kernel (im_kernel)
* Mark (im_mark)
* EventLog for Windows XP/2000/2003 (im_mseventlog)
* EventLog for Windows 2008/Vista and Later (im_msvistalog)
* Null (im_null)
* Perl (im_perl)
* Python (im_python)
* Named Pipes (im_pipe)
* TLS/SSL (im_ssl)
* Systemd (im_systemd)
* TCP (im_tcp)
* UDP (im_udp)
* Unix Domain Sockets (im_uds)
* Processor Modules
* Blocker (pm_blocker)
* Buffer (pm_buffer)
* Event Correlator (pm_evcorr)
* De-Duplicator (pm_norepeat)
* Null (pm_null)
* Pattern Matcher (pm_pattern)
* Format Converter (pm_transformer)
* Output Modules
* Blocker (om_blocker)
* DBI (om_dbi)
* Program (om_exec)
* Files (om_file)
* HTTP(s) (om_http)
* Null (om_null)
* Perl (om_perl)
* Python (om_python)
* Raijin (om_raijin)
* TLS/SSL (om_ssl)
* TCP (om_tcp)
* UDP (om_udp)
* Unix Domain Sockets (om_uds)
* Troubleshooting
* Release notes
* Changelog
* NXLog Manager User Guide
* Introduction
* Requirements for Installation
* Installation
* NXLog Agent Installation
* Installing on Debian Stretch and Buster
* Installing on RHEL 6 & 7
* Installing as Docker Application
* Deploying on AWS
* Configuring NXLog Manager for Standalone Mode
* Configuring NXLog Manager for cluster mode
* Database Initialization
* Starting NXLog Manager
* NXLog Manager Configuration
* Enabling HTTPS for NXLog Manager
* Raise the Open File Limit for NXLog Manager Using systemd
* Increasing the Heap Size for NXLog Manager
* Upgrading NXLog Manager
* Host Setup Common Issues
* Scaling NXLog Manager
* Dashboard
* Fields
* Patterns
* Correlation
* Agents
* Agent-Manager Connectivity
* Agent Names and Addresses
* Agent Visibility
* Agent Management
* Agent Information
* Agent Configuration
* Module Configuration
* Templates
* Agent Groups
* Certificates
* Settings
* Users, roles, and access control
* RESTful web services
* Agent services
* Manager services
* Certificate services
* Template services
* Release notes
* Changelog
* NXLog Add-Ons
* Amazon S3
* Box
* Cisco FireSIGHT eStreamer
* Cisco Intrusion Prevention Systems (CIDEE)
* Exchange (nxlog-xchg)
* Google Logging API
* Microsoft Azure and Office 365
* MSI for NXLog agent setup
* Okta
* Perlfcount
* Salesforce
* NXLog Agent Minder User Guide
* Getting started
* Architectural overview
* Certificate management
* Command line interface
* Agent management best practices
* Command line options
* Configuring Prometheus
* Public APIs
NXLog Integration Guides
* NXLog User Guide
* current
* NXLog EE Reference Manual
* v6.2
* v6.1
* v6.0
* v5.10
* v5.9
* v5.8
* v5.7
* v5.6
* v5.5
* NXLog CE Reference Manual
* v3.2
* v3.1
* v3.0
* NXLog Manager User Guide
* v5.7
* NXLog Add-Ons
* current
* NXLog Agent Minder User Guide
* v0.5
* NXLog Glossary
* current
* NXLog Integration Guides
* NXLog User Guide
* Integration
* DHCP logs
* Windows DHCP server
CONTENTS
* DHCP audit logging
* Configure DHCP audit logs via PowerShell
* Configure DHCP audit logs via the DHCP Management Console
* Collec DHCP server audit logs with NXLog
* Collecting DHCP server logs from Windows Event Log
COLLECT LOGS FROM WINDOWS DHCP SERVER
CONTENTS
* DHCP audit logging
* Configure DHCP audit logs via PowerShell
* Configure DHCP audit logs via the DHCP Management Console
* Collec DHCP server audit logs with NXLog
* Collecting DHCP server logs from Windows Event Log
DHCP (Dynamic Host Configuration Protocol) is a network management protocol that
dynamically assigns IP addresses to each client machine on your network. DHCP
Server events are written to DHCP audit log files (if configured) and Windows
Event Log.
NXLog can be configured to collect both DHCP audit logs and DHCP server logs
located in the Windows Event Log. With its native xm_csv, im_file, and
im_msvistalog modules, NXLog collects logs from these sources and normalizes
them to a single format and schema that your SIEM can understand.
DHCP AUDIT LOGGING
The Windows DHCP Server provides an audit logging feature that writes server
activity to log files. NXLog can be configured to read and parse these logs.
The log files are named DhcpSrvLog-<DAY>.log for IPv4 and DhcpV6SrvLog-<DAY>.log
for IPv6. For example, Thursday’s log files are DhcpSrvLog-Thu.log and
DhcpV6SrvLog-Thu.log.
IPv4 log sample (many header lines omitted)
ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID,Dhcid,VendorClass(Hex),VendorClass(ASCII),UserClass(Hex),UserClass(ASCII),RelayAgentInformation,DnsRegError.
00,05/11/18,03:14:55,Started,,,,,0,6,,,,,,,,,0
55,05/11/18,03:14:55,Authorized(servicing),,test.com,,,0,6,,,,,,,,,0
logCopied!
IPv6 log sample (many header lines omitted)
ID,Date,Time,Description,IPv6 Address,Host Name,Error Code, Duid Length, Duid Bytes(Hex),User Name,Dhcid,Subnet Prefix.
11010,05/11/18,03:14:55,DHCPV6 Started,,,,,,,,,,
1103,05/11/18,03:14:55,Authorized(servicing),,test.com,,,,,,,,
logCopied!
The DHCP audit log can be configured with PowerShell or the DHCP Management MMC
snap-in.
The default audit log path, C:\Windows\System32\dhcp, is architecture-specific.
To collect DHCP audit logs using a 32-bit NXLog agent on a 64-bit Windows
system, it is recommended to change the log path to another directory that is
not redirected to SysWOW64. For this reason, the following instructions use
C:\dhcp. If the NXLog agent is running on the system’s native architecture, it
is not necessary to change the log file location from the default.
CONFIGURE DHCP AUDIT LOGS VIA POWERSHELL
1. To view the current DHCP audit log configuration, run the following command:
(see Get-DhcpServerAuditLog on Microsoft Docs).
> Get-DhcpServerAuditLog
Path : C:\Windows\system32\dhcp
Enable : True
MaxMBFileSize : 70
DiskCheckInterval : 50
MinMBDiskSpace : 20
Copied!
2. To set the audit log configuration, run this command: (see
Set-DhcpServerAuditLog on Microsoft Docs).
> Set-DhcpServerAuditLog -Enable $True -Path C:\dhcp
Copied!
3. The DHCP server must be restarted for the configuration changes to take
effect:
> Restart-Service DHCPServer
Copied!
CONFIGURE DHCP AUDIT LOGS VIA THE DHCP MANAGEMENT CONSOLE
Follow these steps to configure DHCP audit logging. Any changes to the audit log
settings apply to both IPv4 and IPv6 after the DHCP server is restarted.
1. Run the DHCP MMC snap-in (dhcpmgmt.msc), expand the server for which to
configure logging, and click on IPv4.
2. Right-click on IPv4 and click Properties. Note that the context menu is not
fully populated until after the IPv4 menu has been expanded at least once.
3. Make sure Enable DHCP audit logging is checked.
4. Open the Advanced tab, change the Audit log file path, and click OK.
5. Restart the DHCP server by right-clicking the server and clicking All Tasks
> Restart.
COLLEC DHCP SERVER AUDIT LOGS WITH NXLOG
The DHCP audit logs are stored in CSV format with a large free-form header
containing a list of event ID descriptions and other details.
Example 1. Collecting and parsing DHCP audit logs with NXLog
This configuration uses a batch/PowerShell polyglot script with the
include_stdout directive to fetch the DHCP audit log location. The im_file
module reads the audit logs and the xm_csv module parses the lines into fields.
Any line that does not match the /^\d+,/ regular expression is discarded with
the drop() procedure (all the header lines are dropped). The event ID and
QResult codes are resolved automatically, with corresponding $Message and
$QMessage fields added where applicable.
If DHCP audit logging is disabled, the script will print an error, and NXLog
will abort during the configuration check.
nxlog.conf
<Extension dhcp_csv_parser>
Module xm_csv
Fields ID, Date, Time, Description, IPAddress, Hostname, MACAddress, \
UserName, TransactionID, QResult, ProbationTime, CorrelationID, \
DHCID, VendorClassHex, VendorClassASCII, UserClassHex, \
UserClassASCII, RelayAgentInformation, DnsRegError
</Extension>
<Extension dhcpv6_csv_parser>
Module xm_csv
Fields ID, Date, Time, Description, IPv6Address, Hostname, ErrorCode, \
DuidLength, DuidBytesHex, UserName, Dhcid, SubnetPrefix
</Extension>
<Input dhcp_server_audit>
Module im_file
include_stdout %CONFDIR%\dhcp_server_audit_include.cmd
<Exec>
# Only process lines that begin with an event ID
if $raw_event =~ /^\d+,/
{
$FileName = file_name();
if $FileName =~ /DhcpSrvLog-/
{
dhcp_csv_parser->parse_csv();
$QResult = integer($QResult);
if $QResult == 0 $QMessage = "NoQuarantine";
else if $QResult == 1 $QMessage = "Quarantine";
else if $QResult == 2 $QMessage = "Drop Packet";
else if $QResult == 3 $QMessage = "Probation";
else if $QResult == 6 $QMessage = "No Quarantine Information";
}
else
{
dhcpv6_csv_parser->parse_csv();
}
$EventTime = strptime($Date + ' ' + $Time, '%m/%d/%y %H:%M:%S');
$ID = integer($ID);
# DHCP Event IDs
if $ID == 0 $Message = "The log was started.";
else if $ID == 1 $Message = "The log was stopped.";
else if $ID == 2
$Message = "The log was temporarily paused due to low disk space.";
else if $ID == 10 $Message = "A new IP address was leased to a client.";
else if $ID == 11 $Message = "A lease was renewed by a client.";
else if $ID == 12 $Message = "A lease was released by a client.";
else if $ID == 13
$Message = "An IP address was found to be in use on the network.";
else if $ID == 14
$Message = "A lease request could not be satisfied because the " +
"scope's address pool was exhausted.";
else if $ID == 15 $Message = "A lease was denied.";
else if $ID == 16 $Message = "A lease was deleted.";
else if $ID == 17
$Message = "A lease was expired and DNS records for an expired " +
"leases have not been deleted.";
else if $ID == 18
$Message = "A lease was expired and DNS records were deleted.";
else if $ID == 20
$Message = "A BOOTP address was leased to a client.";
else if $ID == 21
$Message = "A dynamic BOOTP address was leased to a client.";
else if $ID == 22
$Message = "A BOOTP request could not be satisfied because the " +
"scope's address pool for BOOTP was exhausted.";
else if $ID == 23
$Message = "A BOOTP IP address was deleted after checking to see " +
"it was not in use.";
else if $ID == 24
$Message = "IP address cleanup operation has began.";
else if $ID == 25
$Message = "IP address cleanup statistics.";
else if $ID == 30
$Message = "DNS update request to the named DNS server.";
else if $ID == 31 $Message = "DNS update failed.";
else if $ID == 32 $Message = "DNS update successful.";
else if $ID == 33
$Message = "Packet dropped due to NAP policy.";
else if $ID == 34
$Message = "DNS update request failed as the DNS update request " +
"queue limit exceeded.";
else if $ID == 35 $Message = "DNS update request failed.";
else if $ID == 36
$Message = "Packet dropped because the server is in failover " +
"standby role or the hash of the client ID does not " +
"match.";
else if ($ID >= 50 and $ID < 1000)
$Message = "Codes above 50 are used for Rogue Server Detection " +
"information.";
# DHCPv6 Event IDs
else if $ID == 11000 $Message = "DHCPv6 Solicit.";
else if $ID == 11001 $Message = "DHCPv6 Advertise.";
else if $ID == 11002 $Message = "DHCPv6 Request.";
else if $ID == 11003 $Message = "DHCPv6 Confirm.";
else if $ID == 11004 $Message = "DHCPv6 Renew.";
else if $ID == 11005 $Message = "DHCPv6 Rebind.";
else if $ID == 11006 $Message = "DHCPv6 Decline.";
else if $ID == 11007 $Message = "DHCPv6 Release.";
else if $ID == 11008 $Message = "DHCPv6 Information Request.";
else if $ID == 11009 $Message = "DHCPv6 Scope Full.";
else if $ID == 11010 $Message = "DHCPv6 Started.";
else if $ID == 11011 $Message = "DHCPv6 Stopped.";
else if $ID == 11012 $Message = "DHCPv6 Audit log paused.";
else if $ID == 11013 $Message = "DHCPv6 Log File.";
else if $ID == 11014 $Message = "DHCPv6 Bad Address.";
else if $ID == 11015 $Message = "DHCPv6 Address is already in use.";
else if $ID == 11016 $Message = "DHCPv6 Client deleted.";
else if $ID == 11017 $Message = "DHCPv6 DNS record not deleted.";
else if $ID == 11018 $Message = "DHCPv6 Expired.";
else if $ID == 11019
$Message = "DHCPv6 Leases Expired and Leases Deleted.";
else if $ID == 11020 $Message = "DHCPv6 Database cleanup begin.";
else if $ID == 11021 $Message = "DHCPv6 Database cleanup end.";
else if $ID == 11022 $Message = "DNS IPv6 Update Request.";
else if $ID == 11023 $Message = "DNS IPv6 Update Failed.";
else if $ID == 11024 $Message = "DNS IPv6 Update Successful.";
else if $ID == 11028
$Message = "DNS IPv6 update request failed as the DNS update " +
"request queue limit exceeded.";
else if $ID == 11029 $Message = "DNS IPv6 update request failed.";
else if $ID == 11030
$Message = "DHCPv6 stateless client records purged.";
else if $ID == 11031
$Message = "DHCPv6 stateless client record is purged as the " +
"purge interval has expired for this client record.";
else if $ID == 11032
$Message = "DHCPV6 Information Request from IPV6 Stateless Client.";
else $Message = "No message specified for this Event ID.";
}
# Discard header lines (which do not begin with an event ID)
else drop();
</Exec>
</Input>
configCopied!
dhcp_server_audit_include.cmd
@( Set "_= (
REM " ) <#
)
@Echo Off
SetLocal EnableExtensions DisableDelayedExpansion
powershell.exe -ExecutionPolicy Bypass -NoProfile ^
-Command "iex ((gc '%~f0') -join [char]10)"
EndLocal & Exit /B %ErrorLevel%
#>
$AuditLog = Get-DhcpServerAuditLog
if ($AuditLog.Enable) {
Write-Output "File '$($AuditLog.Path)\Dhcp*SrvLog-*.log'"
}
else {
[Console]::Error.WriteLine(@"
DHCP audit logging is disabled. To enable, run in PowerShell:
> Set-DhcpServerAuditLog -Enable $True
"@)
exit 1
}
cmdCopied!
COLLECTING DHCP SERVER LOGS FROM WINDOWS EVENT LOG
Events are also written to three logs in the Windows Event Log. To make sure the
required logs are enabled, open Event Viewer (eventvwr) and check the logs under
Applications and Services Logs > Microsoft > Windows > DHCP-Server. To enable a
log, right-click on it and click Enable Log.
Alternatively, the following PowerShell script will check all three DHCP logs,
enabling if necessary.
$LogNames = @("DhcpAdminEvents",
"Microsoft-Windows-Dhcp-Server/FilterNotifications",
"Microsoft-Windows-Dhcp-Server/Operational")
ForEach ($LogName in $LogNames) {
$EventLog = Get-WinEvent -ListLog $LogName
if ($EventLog.IsEnabled) {
Write-Host "Already enabled: $LogName"
}
else {
Write-Host "Enabling: $LogName"
$EventLog.IsEnabled = $true
$EventLog.SaveChanges()
}
}
powershellCopied!
Example 2. Collecting DHCP server logs from Windows Event Log with NXLog
This configuration uses the im_msvistalog module to collect DHCP Server event
logs from the DhcpAdminEvents, FilterNotifications, and Operational logs.
nxlog.conf
<Input dhcp_server_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="DhcpAdminEvents">*</Select>
<Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">
*</Select>
<Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
configCopied!
Disclaimer
While we endeavor to keep the information in this topic up to date and correct,
NXLog makes no representations or warranties of any kind, express or implied
about the completeness, accuracy, reliability, suitability, or availability of
the content represented here. We update our screenshots and instructions on a
best-effort basis.
The accurateness of the content was tested and proved to be working in our lab
environment at the time of the last revision with the following software
versions:
Windows Server 2022
Windows Server 2019
Windows Server 2016
NXLog version 5.7.7898
Last revision: 4 April 2023
--------------------------------------------------------------------------------
Was this article helpful?
Thank you for your feedback!
Something went wrong while submitting your feedback. Please try again later!
Please Login or Signup before submitting your feedback!
☆ ☆ ☆ ☆ ☆
Rate this article:
Anything we can do to improve this article?
Submit
Can we help further? Contact an expert
ISC DHCP client (dhclient) Windows DHCP client
Subscribe to our newsletter to get the latest updates, news, and products
releases.
© Copyright 2023 NXLog Ltd.
PRIVACY POLICY TERMS OF USE
* PRODUCTS
* NXLOG ENTERPRISE EDITION
* NXLOG COMMUNITY EDITION
* NXLOG ADD-ONS
* NXLOG MANAGER
* NXLOG MINDER
* RAIJIN DATABASE
* MORE NXLOG
* COMPARE SOLUTIONS
* INDUSTRIES
* INTERGRATIONS
* FIND A RESELLER
* PARTNER PROGRAM
* RESOURCES
* DOCUMENTATION
* WHITE PAPERS
* WEBINARS
* CASE STUDIES
* TUTORIALS
* BLOG
* COMMUNITY FORUM
* ABOUT US
* WHY NXLOG
* CUSTOMERS
* CAREERS
* CONTACT US
* DOWNLOADS
* NXLOG ENTERPRISE EDITION
* NXLOG COMMUNITY EDITION
* NXLOG MINDER
* NXLOG MANAGER
* NXLOG ADD-ONS
* RAIJIN DATABASE