Windows DHCP

The Dynamic Host Configuration Protocol (DHCP) is a UDP protocol that dynamically allocates IP addresses from a pool and reclaims them when they are no longer in use. Systems running Windows Server provide DHCP services in many environments. 

Pre-requisites

Download and install the NXLog Community Edition.

Configure DHCP audit logs via the DHCP Management Console

Follow these steps to configure DHCP audit logging. Any changes to the audit log settings apply to both IPv4 and IPv6 after the DHCP server is restarted.

1. Run the DHCP MMC snap-in (dhcpmgmt.msc), expand the server for which to configure logging, and click IPv4.

            

2. Right-click on IPv4 and click Properties. Note that the context menu is not fully populated until after the IPv4 menu has been expanded at least once.

3. Make sure Enable DHCP audit logging is checked.

4. Open the Advanced tab, change the Audit log file path, and click OK.

5. Click All Tasks --> Restart to restart the DHCP server.

Install and Configure NXLog

Download and install NXLog

Download the NXLog Community Edition. Install the application at C:\Program Files (x86)\NXlog.

Configure NXLog

Note: Edit the configuration file. Its default location is C:\Program Files(x86)\NXlog\conf\nxlog.conf.

Start the NXLog service

Restart the service. Configuration errors will be written to the %LogFile%. 

Collecting DHCP server logs from Windows Event Log with NXLog

This configuration uses the im_msvistalog module to collect DHCP Server event logs from the DhcpAdminEvents, FilterNotifications, and Operational logs.

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files\nxlog
define WINDHCP_OUTPUT_DESTINATION_ADDRESS (Forwarder IP)
define WINDHCP_OUTPUT_DESTINATION_PORT (11669)

Moduledir   %ROOT%\modules
CacheDir    %ROOT%\data
Pidfile     %ROOT%\data\nxlog.pid
SpoolDir    %ROOT%\data
LogFile     %ROOT%\data\nxlog.log

<Extension _json>
   Module  xm_json
</Extension>

<Input dhcp_server_eventlog>
  Module      im_msvistalog
  <QueryXML>
       <QueryList>
           <Query Id="0" Path="System">
               <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-DHCP-Server']]]</Select>
           </Query>
           <Query Id="0">
               <Select Path="DhcpAdminEvents">*</Select>
               <Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">*</Select>
               <Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select>
           </Query>
      </QueryList>
   </QueryXML>
   Exec        $EventTime = integer($EventTime) / 1000;
   Exec        $EventReceivedTime = integer($EventReceivedTime) /     1000;
   Exec        to_json();
</Input

<Input audit_logs_csv>
   Module      im_file
   File        "LOG_FILE_PATH"  # Use quotation marks. For example: "c:\dhcp\-*.log"
   SavePos     TRUE
   InputType   LineBased
   Exec        $Message = $raw_event;
</Input>

<Output out_chronicle_forwarder>
   Module      om_tcp
   Host        %WINDHCP_OUTPUT_DESTINATION_ADDRESS%
   Port        %WINDHCP_OUTPUT_DESTINATION_PORT%
</Output>

<Route dhcp_events_to_chronicle_forwarder>
   Path     dhcp_server_eventlog,audit_logs_csv => out_chronicle_forwarder
</Route>

Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression, or with a specific hostname, will provide the log source types which are ingesting to chronicle, below is the screenshot for reference.