Windows DHCP Logs

DHCP provides host enrichment to the Chronicle platform. The DHCP data source allows users to authoritatively say a host was at an IP at a given time during an investigation.

Chronicle Data Types

• WINDOWS_DHCP

File-based DHCP debug Logging

DHCP Server events are written to DHCP audit log files (if configured) and to the Windows Event Log. To import data using file-based logging, it MUST be enabled first.

Configuration: To enable DHCP Debug Logging, perform the following actions:

1. Open the Microsoft Management Console (MMC) and open the DHCP snap-in
2. Expand the DHCP server to be audited
3. Click on IPv4 to expand the menu (the right-click context menu will not fully populate until the IPv4 menu has been expanded at least once)
4. Right click on IPv4 and select Properties
5. In the General tab, select the checkbox for Enable DHCP audit logging. DHCP will begin to start logging to "C:\Windows\System32\dhcp\".
6. Open the Advanced tab, we recommend changing the Audit log file path to C:\Server (to remove the requirement for elevating permissions to the System32 folder) and click OK
7. Ensure that NXLog has permissions to read from this path
8. Restart the DHCP server by right-clicking the server and clicking All Tasks › Restart

Configuration example

define ROOT C:\Program Files (x86)\nxlog
define OUTPUT_DESTINATION_ADDRESS <hostname>
define OUTPUT_DESTINATION_PORT <port>

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
    Module      xm_syslog
</Extension>

<Input dhcplogs>
    Module im_file
    File "C:\Server\dhcp\DhcpSrvLog-*.log"
    SavePos TRUE
    InputType LineBased
</Input>

<Output out_syslog>
    Module om_tcp
    Host %OUTPUT_DESTINATION_ADDRESS%
    Port %OUTPUT_DESTINATION_PORT%
</Output>

<Route 1>
    Path dhcplogs => out_syslog
</Route>