Skip to content

Windows DHCP Logs

DHCP provides host enrichment to the Chronicle platform. The DHCP data source allows users to authoritatively say a host was at an IP at a given time during an investigation.

Chronicle Data Types

  • DHCP

Requirements

  • Chronicle Forwarder

Configuration

Enable Windows DHCP Logging

  1. Open the Microsoft Management Console (MMC) and open the DHCP snap-in.
  2. Expand the DHCP server to be audited.
  3. Right click on IPv4 and select Properties.
  4. In the "General" tab, select the checkbox for "Enable DHCP audit logging". DHCP will begin to start logging to C:\Windows\System32\dhcp\.

NxLog

While there are many ways to send files as syslog, CYDERES recommends using NxLog to send Windows DHCP Logs to a Chronicle Forwarder service.

Configuration example:

define ROOT C:\Program Files (x86)\nxlog
define OUTPUT_DESTINATION_ADDRESS <hostname>
define OUTPUT_DESTINATION_PORT <port>

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
    Module      xm_syslog
</Extension>

<Input dhcplogs>
    Module im_file
    File "C:\Windows\System32\dhcp\DhcpSrvLog-*.log"
    SavePos TRUE
    InputType LineBased
</Input>

<Output out_syslog>
    Module om_tcp
    Host %OUTPUT_DESTINATION_ADDRESS%
    Port %OUTPUT_DESTINATION_PORT%
</Output>

<Route 1>
    Path dhcplogs => out_syslog
</Route>