The article covers how to configure DHCP audit logs through the Event Viewer and how to collect DHCP server logs from Windows Event Log with NXLog.
The Dynamic Host Configuration Protocol (DHCP) is a UDP protocol that dynamically allocates IP addresses from a pool and reclaims them when they are no longer in use. Systems running Windows Server provide DHCP services in many environments.
Pre-requisites
Download and install the NXLog Community Edition.
Configure DHCP audit logs via Event Viewer
1. Type eventvwr.msc at an elevated command prompt and press ENTER to open Event Viewer
2. In Event Viewer, navigate to Applications and Services Logs>Microsoft>Windows> DHCP-Server
3. Expand DHCP-Server.
4. Right-click on the Admin Events and Click on the Enable log and click OK when asked if log should be enabled. Also enable other two paths FilterNotifications & Operational.
6. Click OK again.
Install and Configure NXLog
Download and install NXLog
Download the NXLog Community Edition. Install the application at C:\Program Files (x86)\NXlog.
Configure NXLog
Note: Edit the configuration file. Its default location is C:\Program Files(x86)\NXlog\conf\nxlog.conf.
Start the NXLog service
Restart the service. Configuration errors will be written to the %LogFile%.
Collecting DHCP server logs from Windows Event Log with NXLog
This configuration uses the im_msvistalog module to collect DHCP Server event logs from the DhcpAdminEvents, FilterNotifications, and Operational logs.
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define WINDHCP_OUTPUT_DESTINATION_ADDRESS <Forwarder IP>
define WINDHCP_OUTPUT_DESTINATION_PORT 11669
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _json>
Module xm_json
</Extension>
<Input dhcp_server_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="DhcpAdminEvents">*</Select>
<Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">*</Select>
<Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
ReadFromLast TRUE
SavePos TRUE
</Input>
<Output out_chronicle_windhcp>
Module om_tcp
Host %WINDHCP_OUTPUT_DESTINATION_ADDRESS%
Port %WINDHCP_OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec to_json();
</Output>
<Route r2>
Path dhcp_server_eventlog => out_chronicle_windhcp
</Route>
Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression, or with a specific hostname, will provide the log source types which are ingesting to chronicle, below is the screenshot for reference.
Comments
0 comments
Please sign in to leave a comment.