Microsoft DHCP
You can use the Logmanager Beat Agent to collect logs/information from the Microsoft DHCP service running on the Windows Server platform. In order to collect logs from Microsoft DHCP, the following conditions must be met:
- Install Beat Agent on a server running the DHCP service.
- Check the DHCP service settings.
- Configure the agent to collect DHCP logs
-
Log in to the Windows Server running the DHCP service (you need administrator rights)
-
Install the Beat Agent, if it is already installed, ignore this step (more about agents here: Logmanager Orchestrator)
-
Go to the DHCP settings (Start/DHCP or Server Manager/DHCP)
-
Right click on IPv4, select Properties and make sure the Enable DHCP audit logging box is checked
-
Go to the Advanced tab - here you can see where the DHCP service stores information and note the path, the most common path is C:\Windows\System32\dhcp\logs
-
Repeat the same for IPv6
For successful collection of logs from MS DHCP and processing on the Logmanager side, configuration in the GUI is required.
-
Log in to Logmanager as administrator
-
Go to Sources/Beat agents
-
Locate the server/agent where the DHCP service operates and click on the blue pen on the right to edit it
-
Locate the Log Files, click the green Add button on the right
-
Select dhcp as the template, this will automatically add the dhcp tag which is needed for proper classification, i.e. do not delete it!
-
Insert the noted path where the DHCP log files are stored and add to the end of path *Dhcp, in our example C:\Windows\system32\dhcp\*Dhcp
use the wildcard “*” and “Dhcp” to ensure that any generated log starting with “Dhcp…” will be sent to Logmanager. This is because the Microsoft DHCP service stores log files on a day-by-day basis. For example: DhcpSrvLog-Tue.log, DhcpSrvLog-Wed.log, etc.Double check that the path you specify points exclusively to the log files. Pay extra attention to Microsoft DHCP logs, the correct path (default) is C:\Windows\System32\dhcp\Dhcp*.log. In some cases, Microsoft stores database data in files with a “.log” extension. If an agent tries to collect such data, the DHCP service on the server may be stopped. -
Now click the Save button at the bottom.
If you delete the dhcp tag, the logs will not be processed correctly and will not appear in Logmanager as logs from MS DHCP.By doing this, you have set up the log collection and processing on the Logmanager side, since it takes a while for the agent to download the new configuration, we recommend manually restarting the logmanager-orchestrator-service on the server via Task Manager. After restarting the service, the configuration will be updated and the Agent should send DHCP logs to Logmanager, which can automatically classify and process them with the correct parser thanks to the dhcp tag.
You can check the collecting of MS DHCP logs in Logs/Dashboards on the Windows DHCP log dashboard.