Skip to content

Windows DHCP

About

Every device on a TCP/IP-based network must have a unique unicast IP address to access the network and its resources. Without DHCP, IP addresses for new computers or computers that are moved from one subnet to another must be configured manually; IP addresses for computers that are removed from the network must be manually reclaimed. With DHCP, this entire process is automated and managed centrally. The DHCP server maintains a pool of IP addresses and leases an address to any DHCP-enabled client when it starts up on the network. Because the IP addresses are dynamic (leased) rather than static (permanently assigned), addresses no longer in use are automatically returned to the pool for reallocation. (Windows DHCP)

Product Details

Vendor URL: Windows DHCP

Product Type: DHCP

Product Tier: Tier I

Integration Method: Syslog

Integration URL: Windows DHCP - Cyderes Documentation

Log Guide: NXLog Reference Page

Parser Details

Log Format: Syslog, KV, and JSON

Expected Normalization Rate: Near 100%

Data Label: WINDOWS_DHCP

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
AccountName principal.user.userid
AccountType principal.group.group_display_name
additional_field additional.fields
ASCIIUserClass metadata.ingestion_labels
ASCIIVendorClass metadata.ingestion_labels
bytes network.dhcp.client_identifier
Category EventID metadata.product_event_type
Channel principal.process.file.full_path
Channel EventID metadata.product_event_type
ClientID principal.user.product_object_id
ClientName principal.user.userid
Description metadata.description
Dhcid network.dhcp.client_identifier
Domain principal.administrative_domain
EventID metadata.product_event_type
EventID security_result.rule_name
EventType security_result.summary
EventType Opcode security_result.summary
ExecutionProcessID principal.process.pid
formatted_mac network.dhcp.chaddr
formatted_mac principal.mac
Hostname network.dhcp.client_hostname
Hostname principal.hostname
HWType network.dhcp.htype
ID metadata.product_event_type
ID security_result.rule_name
IPAddress network.dhcp.ciaddr
IPAddress network.dhcp.yiaddr
MACAddress principal.mac
Message metadata.description
Opcode security_result.summary
operation security_result.description
options network.dhcp.options
PartnerServer target.hostname
PhysicalAddress principal.mac
ProcessID principal.process.pid
ProviderGuid principal.group.product_object_id
resource_name target.resource.name
resource_type target.resource.resource_type
ScopeName principal.namespace
Server target.hostname
severity security_result.severity
sourcemodulename metadata.ingestion_labels
sourcemoduletype metadata.ingestion_labels
target.ip Server
target.ip tempPartnerIP
tempIP principal.ip
TransactionID metadata.product_log_id
TransactionID network.dhcp.transaction_id

Product Event Types

Description metadata.event_type
Default GENERIC_EVENT
If ID = 10, 11, 12, 13, 14, 15, 16, 17, 18, 20, 21, 22, 23 NETWORK_DHCP
If any of HostName, IPAddress, MACAddress, and UserName are not provided SYSTEM_AUDIT_LOG_UNCATEGORIZED

NETWORK_DHCP Log Sample

<13>1 2021-12-10T07:53:19.026537-06:00 servername01 - - - [NXLOG@123456 EventReceivedTime="2021-12-10 07:53:19" SourceModuleName="dhcp" SourceModuleType="im_file"] 10,12/10/21,07:53:18,Assign,10.10.10.10,name.domain.com,112233445566,,123456789,0,,,,,,,,,0  

NETWORK_DHCP Sample Parsing

metadata.event_timestamp.seconds= 1639122798
metadata.product_log_id= "123456789"
metadata.event_type= NETWORK_DHCP
metadata.vendor_name= "Microsoft"
metadata.product_name= "Windows DHCP"
metadata.product_event_type= "EventID= 10"
metadata.description= "Assign"
principal.ip= "10.10.10.10"
principal.mac= "11=22=33=44=55=66"
intermediary.hostname= "servername01"
security_result.rule_name= "EventID= 10"
security_result.action= ALLOW
network.direction= OUTBOUND
network.application_protocol= DHCP
network.dhcp.transaction_id= 123456789
network.yiaddr= "10.10.10.10"
network.chaddr= "11=22=33=44=55=66"
network.type= ACK
network.client_hostname= "name.domain.com"

Windows Eventlog Log Sample

<11>1 2021-12-10T08:08:23.572248+00:00 host.domain.local Microsoft-Windows-DHCP-Server 3684 - [NXLOG@14506 Keywords="1234567890" EventType="ERROR" EventID="20287" ProviderGuid="{95c8fda2-59f5-11ec-bf63-0242ac130002}" Version="0" TaskValue="0" OpcodeValue="0" RecordNumber="1242711" ExecutionThreadID="1122" Channel="DhcpAdminEvents" Domain="NT AUTHORITY" AccountName="NETWORK SERVICE" UserID="S-1-2-33" AccountType="Defined Group" Opcode="Info" ClientID="00A0B1C23D45" ScopeName="SCOPE_NAME_HERE" EventReceivedTime="2021-12-10 08:08:25" SourceModuleName="dhcp_server_eventlog" SourceModuleType="im_msvistalog"] DHCP client request from 00A0B1C23D45 was dropped since the applicable IP address ranges in scope/superscope SCOPE_NAME_HERE are out of available IP addresses. This could be because of IP address ranges of a policy being out of available IP addresses.  

Windows Eventlog Sample Parsing

metadata.event_timestamp.seconds= 1639123705
metadata.event_type= GENERIC_EVENT
metadata.vendor_name= "Microsoft"
metadata.product_name= "Windows DHCP"
metadata.product_event_type= "EventID= 20287"
metadata.description= "DHCP client request from 00A0B1C23D45 was dropped since the applicable IP address ranges in scope/superscope SCOPE_NAME_HERE are out of available IP addresses. This could be because of IP address ranges of a policy being out of available IP addresses."
metadata.ingestion_labels.key= "SourceModuleType"
metadata.ingestion_labels.value= "im_msvistalog"
metadata.ingestion_labels.key= "SourceModuleName"
metadata.ingestion_labels.value= "dhcp_server_eventlog"
principal.user.product_object_id= "00A0B1C23D45"
principal.user.userid= "NETWORK SERVICE"
principal.user.windows_sid= "S-1-2-33"
principal.group.product_object_id= "{95c8fda2-59f5-11ec-bf63-0242ac130002}"
principal.group.group_display_name= "Defined Group"
principal.process.pid= "1122"
principal.process.file.full_path= "DhcpAdminEvents"
principal.administrative_domain= "NT AUTHORITY"
principal.namespace= "SCOPE_NAME_HERE"
intermediary.hostname= "host.domain.local"
security_result.rule_name= "EventID= 20287"
security_result.summary= "EventType= ERROR | Opcode= Info"
security_result.action= UNKNOWN_ACTION

Parser Alerting

This product currently does not have any Parser-based Alerting