Windows DHCP¶
About¶
Every device on a TCP/IP-based network must have a unique unicast IP address to access the network and its resources. Without DHCP, IP addresses for new computers or computers that are moved from one subnet to another must be configured manually; IP addresses for computers that are removed from the network must be manually reclaimed. With DHCP, this entire process is automated and managed centrally. The DHCP server maintains a pool of IP addresses and leases an address to any DHCP-enabled client when it starts up on the network. Because the IP addresses are dynamic (leased) rather than static (permanently assigned), addresses no longer in use are automatically returned to the pool for reallocation. (Windows DHCP)
Product Details¶
Vendor URL: Windows DHCP
Product Type: DHCP
Product Tier: Tier I
Integration Method: Syslog
Integration URL: Windows DHCP - Cyderes Documentation
Log Guide: NXLog Reference Page
Parser Details¶
Log Format: Syslog, KV, and JSON
Expected Normalization Rate: Near 100%
Data Label: WINDOWS_DHCP
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| AccountName | principal.user.userid |
| AccountType | principal.group.group_display_name |
| additional_field | additional.fields |
| ASCIIUserClass | metadata.ingestion_labels |
| ASCIIVendorClass | metadata.ingestion_labels |
| bytes | network.dhcp.client_identifier |
| Category EventID | metadata.product_event_type |
| Channel | principal.process.file.full_path |
| Channel EventID | metadata.product_event_type |
| ClientID | principal.user.product_object_id |
| ClientName | principal.user.userid |
| Description | metadata.description |
| Dhcid | network.dhcp.client_identifier |
| Domain | principal.administrative_domain |
| EventID | metadata.product_event_type |
| EventID | security_result.rule_name |
| EventType | security_result.summary |
| EventType Opcode | security_result.summary |
| ExecutionProcessID | principal.process.pid |
| formatted_mac | network.dhcp.chaddr |
| formatted_mac | principal.mac |
| Hostname | network.dhcp.client_hostname |
| Hostname | principal.hostname |
| HWType | network.dhcp.htype |
| ID | metadata.product_event_type |
| ID | security_result.rule_name |
| IPAddress | network.dhcp.ciaddr |
| IPAddress | network.dhcp.yiaddr |
| MACAddress | principal.mac |
| Message | metadata.description |
| Opcode | security_result.summary |
| operation | security_result.description |
| options | network.dhcp.options |
| PartnerServer | target.hostname |
| PhysicalAddress | principal.mac |
| ProcessID | principal.process.pid |
| ProviderGuid | principal.group.product_object_id |
| resource_name | target.resource.name |
| resource_type | target.resource.resource_type |
| ScopeName | principal.namespace |
| Server | target.hostname |
| severity | security_result.severity |
| sourcemodulename | metadata.ingestion_labels |
| sourcemoduletype | metadata.ingestion_labels |
| target.ip | Server |
| target.ip | tempPartnerIP |
| tempIP | principal.ip |
| TransactionID | metadata.product_log_id |
| TransactionID | network.dhcp.transaction_id |
Product Event Types¶
| Description | metadata.event_type |
|---|---|
| Default | GENERIC_EVENT |
| If ID = 10, 11, 12, 13, 14, 15, 16, 17, 18, 20, 21, 22, 23 | NETWORK_DHCP |
| If any of HostName, IPAddress, MACAddress, and UserName are not provided | SYSTEM_AUDIT_LOG_UNCATEGORIZED |
NETWORK_DHCP Log Sample¶
<13>1 2021-12-10T07:53:19.026537-06:00 servername01 - - - [NXLOG@123456 EventReceivedTime="2021-12-10 07:53:19" SourceModuleName="dhcp" SourceModuleType="im_file"] 10,12/10/21,07:53:18,Assign,10.10.10.10,name.domain.com,112233445566,,123456789,0,,,,,,,,,0
NETWORK_DHCP Sample Parsing¶
metadata.event_timestamp.seconds= 1639122798
metadata.product_log_id= "123456789"
metadata.event_type= NETWORK_DHCP
metadata.vendor_name= "Microsoft"
metadata.product_name= "Windows DHCP"
metadata.product_event_type= "EventID= 10"
metadata.description= "Assign"
principal.ip= "10.10.10.10"
principal.mac= "11=22=33=44=55=66"
intermediary.hostname= "servername01"
security_result.rule_name= "EventID= 10"
security_result.action= ALLOW
network.direction= OUTBOUND
network.application_protocol= DHCP
network.dhcp.transaction_id= 123456789
network.yiaddr= "10.10.10.10"
network.chaddr= "11=22=33=44=55=66"
network.type= ACK
network.client_hostname= "name.domain.com"
Windows Eventlog Log Sample¶
<11>1 2021-12-10T08:08:23.572248+00:00 host.domain.local Microsoft-Windows-DHCP-Server 3684 - [NXLOG@14506 Keywords="1234567890" EventType="ERROR" EventID="20287" ProviderGuid="{95c8fda2-59f5-11ec-bf63-0242ac130002}" Version="0" TaskValue="0" OpcodeValue="0" RecordNumber="1242711" ExecutionThreadID="1122" Channel="DhcpAdminEvents" Domain="NT AUTHORITY" AccountName="NETWORK SERVICE" UserID="S-1-2-33" AccountType="Defined Group" Opcode="Info" ClientID="00A0B1C23D45" ScopeName="SCOPE_NAME_HERE" EventReceivedTime="2021-12-10 08:08:25" SourceModuleName="dhcp_server_eventlog" SourceModuleType="im_msvistalog"] DHCP client request from 00A0B1C23D45 was dropped since the applicable IP address ranges in scope/superscope SCOPE_NAME_HERE are out of available IP addresses. This could be because of IP address ranges of a policy being out of available IP addresses.
Windows Eventlog Sample Parsing¶
metadata.event_timestamp.seconds= 1639123705
metadata.event_type= GENERIC_EVENT
metadata.vendor_name= "Microsoft"
metadata.product_name= "Windows DHCP"
metadata.product_event_type= "EventID= 20287"
metadata.description= "DHCP client request from 00A0B1C23D45 was dropped since the applicable IP address ranges in scope/superscope SCOPE_NAME_HERE are out of available IP addresses. This could be because of IP address ranges of a policy being out of available IP addresses."
metadata.ingestion_labels.key= "SourceModuleType"
metadata.ingestion_labels.value= "im_msvistalog"
metadata.ingestion_labels.key= "SourceModuleName"
metadata.ingestion_labels.value= "dhcp_server_eventlog"
principal.user.product_object_id= "00A0B1C23D45"
principal.user.userid= "NETWORK SERVICE"
principal.user.windows_sid= "S-1-2-33"
principal.group.product_object_id= "{95c8fda2-59f5-11ec-bf63-0242ac130002}"
principal.group.group_display_name= "Defined Group"
principal.process.pid= "1122"
principal.process.file.full_path= "DhcpAdminEvents"
principal.administrative_domain= "NT AUTHORITY"
principal.namespace= "SCOPE_NAME_HERE"
intermediary.hostname= "host.domain.local"
security_result.rule_name= "EventID= 20287"
security_result.summary= "EventType= ERROR | Opcode= Info"
security_result.action= UNKNOWN_ACTION
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon