LogLogic Microsoft Dynamic Host Configuration Protocol (DHCP) Log Configuration Guide

Transcription

1 LogLogic Microsoft Dynamic Host Configuration Protocol (DHCP) Log Configuration Guide Document Release: September 2011 Part Number: LL ELS This manual supports LogLogic Microsoft DHCP Release 1.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.

2 2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA Tel: Fax: U.S. Toll Free:

3 Contents Preface About This Guide Technical Support Documentation Support Conventions Chapter 1 Configuring LogLogic s Microsoft DHCP Log Collection Introduction to Microsoft DHCP Prerequisites Configuring Microsoft DHCP for Audit Logging Changing the Path of the Audit Log File Audit Log File Rotation Policy Configuring Microsoft DHCP for Operational s Installing and Configuring Project Lasso Enabling the LogLogic Appliance to Capture Log Data Configuring the LogLogic Appliance for Data and File Collection Automatically Identifying a Microsoft DHCP Device Adding Microsoft DHCP Device Creating File Transfer Rules Verifying the Configuration Chapter 2 How LogLogic Supports Microsoft DHCP How LogLogic Captures Microsoft DHCP Log Data Supported Microsoft DHCP Log Data LogLogic Real-Time Reports LogLogic Search Filters Chapter 3 Troubleshooting and FAQ Troubleshooting Problems Retrieving Log Files Using Configured File Transfer Rules Frequently Asked Questions Appendix A Reference LogLogic Support for Microsoft DHCP s Microsoft DHCP Log Configuration Guide 3

4 4 Microsoft DHCP Log Configuration Guide

5 Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Microsoft Dynamic Host Configuration Protocol (DHCP) enables LogLogic Appliances to capture logs from machines running Microsoft DHCP. Once the logs are captured and parsed, you can generate reports and create alerts on Microsoft DHCP s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free LOGS Local EMEA or APAC: + 44 (0) or +44 (0) support@loglogic.com You can also visit the LogLogic Support website at: When contacting Customer Support, be prepared to provide: Your name, address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Microsoft DHCP Log Configuration Guide 5

6 Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Microsoft DHCP Log Configuration Guide

7 Chapter 1 Configuring LogLogic s Microsoft DHCP Log Collection This chapter describes configuration steps that enable a LogLogic Appliance to capture Microsoft DHCP logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft DHCP log data. Introduction to Microsoft DHCP Prerequisites Configuring Microsoft DHCP for Audit Logging Configuring Microsoft DHCP for Operational s Enabling the LogLogic Appliance to Capture Log Data Verifying the Configuration Introduction to Microsoft DHCP The LogLogic Appliance enables you to capture Microsoft DHCP audit and operational log data. Audit log events can capture critical information about Microsoft DHCP server that is essential to meet compliance requirements. For example, Microsoft DHCP provides options to audit server startup, shutdown, and restart status. It also gives information related to the server s authorization status with Active Directory and records lease, renew, and update actions with the Domain Name System (DNS) database. Operational log event information is posted in Windows System logs. These logs contain information related to DHCP server configuration changes and its status information. Note: LogLogic support is limited to Windows Server 2003, 2008 events. For more information, see Supported Microsoft DHCP Log Data on page 19. Microsoft DHCP audit logs are captured via file pull using a file transfer rule. Microsoft DHCP operational logs are captured by LogLogic s open source Windows Collector, Project Lasso. The Windows Collector can run in one of the following modes, Agent Mode, Collector Mode, or both (i.e., a hybrid mode). Regardless of the mode used, all collected operational logs are forwarded to the LogLogic Appliance using Syslog via UDP or TCP. The configuration procedures for Microsoft DHCP and the LogLogic Appliance depend upon your environment, what logs you want to capture, and how the Windows Collector is configured (if applicable). For more information, see How LogLogic Captures Microsoft DHCP Log Data on page 18 and the LogLogic Windows Collector Guide (Project Lasso). Microsoft DHCP Log Configuration Guide 7

8 Prerequisites Prior to configuring Microsoft DHCP and the LogLogic Appliance, ensure that you meet the following prerequisites: Microsoft DHCP Service installed on Windows Server 2003, 2008 with SP1 or SP3 Administrative access on the DHCP server For operational logs: Project Lasso Release 4.0 or later installed on the DHCP server. For more information, see the LogLogic Windows Collector Guide (Project Lasso). For audit logs: 3rd-party FTP, FTP(S), HTTP(S), CIFS, SCP, and/or SFTP server software installed for any platform that does not have these capabilities by default. For more information, see Configuring the LogLogic Appliance for Data and File Collection on page 11. LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft DHCP Server support Administrative access on LogLogic Appliance Configuring Microsoft DHCP for Audit Logging Audit logging is configured by default on a Microsoft DHCP server. Make sure that your configuration matches the one described in the following steps. To enable Microsoft DHCP server logging: 1. Log in to the Microsoft DHCP server. 2. From the Windows Start menu, select Settings > Control Panel. 3. Double-click Administrative Tools. 4. Double-click DHCP. The DHCP console appears. 5. Expand the tree on the left, and select the applicable DHCP server from the list. 6. On the Action menu, click Properties. 7. On the General tab, select the Enable DHCP audit logging checkbox. 8. Click OK. 8 Microsoft DHCP Log Configuration Guide

9 Figure 1 DHCP Console Changing the Path of the Audit Log File Only the directory path in which the Microsoft DHCP server stores audit log files can be modified using the DHCP console, and not the filename. The DHCP server service bases the name of the audit log file on the current day of the week, as determined by checking the current date and time at the server. For example, when the DHCP server starts, if the current date and time is: Monday, April 7, 2011, 04:56:42 P.M. Then the server audit log file is nameddhcpsrvlog-mon. To change the path of the audit log file: 1. Log in to the Microsoft DHCP server. 2. From the Windows Start menu, select Settings > Control Panel. 3. Double-click Administrative Tools. 4. Double-click DHCP. The DHCP console appears. 5. Expand the tree on the left, and select the applicable DHCP server from the list. Microsoft DHCP Log Configuration Guide 9

10 6. On the Action menu, click Properties. 7. Click the Advanced tab. 8. Edit Audit log file path as necessary and click OK. Audit Log File Rotation Policy Microsoft DHCP server rotates the files based on days. By default, at 12:00 a.m. local time on the server machine, the DHCP server closes the existing log and moves it to the log file for the next day of the week. For example, if the day of the week changes at 12:00 a.m. from Wednesday to Thursday, the log file named DhcpSrvLog-Wed is closed and the file named DhcpSrvLog-Thu is opened and used for logging events. If the disk is full, the DHCP server closes the current file and ignores further requests to log audit events until either 12:00 a.m. or until the disk is no longer full. The disk is considered full if either of the following conditions is true: Disk space on the server machine is lower than the required minimum amount for DHCP audit logging. By default, if the amount of disk space remaining on the server disk reaches less than 20 MegaBytes (MB), audit logging is halted. The current audit log file is larger than one-seventh of the size for the combined total of all audit logs currently stored on the server. Configuring Microsoft DHCP for Operational s Microsoft DHCP server operational events are posted in the Windows Viewer. The events are located in the System logs under the DHCP server with DHCP as the source. These events can be captured by LogLogic Appliance using Project Lasso. Installing and Configuring Project Lasso The Microsoft DHCP logs are collected and transported using Project Lasso. Project Lasso is used to collect and transfer Windows logs to the LogLogic Appliance. By default, the Project Lasso program directory is located at: C:\Program Files\Lasso Project Lasso spools log messages if the connection to the Appliance is temporarily lost. By default, the following directory contains all spooled log messages: C:\Program Files\Lasso\LassoRepository\Spool You can change the host machine and event log identification information by editing the hostlist.ini configuration file in Project Lasso. You can change the spool log location and other Lasso monitoring parameters by editing the Lasso.ini file. For the complete installation and configuration procedures for Project Lasso, including information on the Lasso.ini and hostlist.ini files, see the LogLogic Windows Collector Guide (Project Lasso). 10 Microsoft DHCP Log Configuration Guide

11 Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture Microsoft DHCP log data. Configuring the LogLogic Appliance for Data and File Collection The LogLogic Appliance recognizes Microsoft DHCP operational events in Syslog format via the Syslog Listener. The Appliance captures Microsoft DHCP audit events using file pull functionality via a file transfer rule. The deployment method you use to collect Microsoft DHCP file-based data depends on what events you want to capture. Microsoft DHCP Data Collection for Operational s If you are trying to capture operational event data, you need to use the following deployment method for file collection: 1. Properly configure Microsoft DHCP to generate operational events (see Configuring Microsoft DHCP for Operational s on page 10). 2. Properly configure Project Lasso on a remote Host Server (see Installing and Configuring Project Lasso on page 10). 3. On the LogLogic Appliance, make sure that the Microsoft DHCP device was correctly auto-identified. For more information, see Automatically Identifying a Microsoft DHCP Device on page 12. Microsoft DHCP File Collection for Audit s If you are trying to capture audit event data, you need to use the following deployment method for file collection: 1. Configure a remote Host Server with file transfer capability to capture log files from the Microsoft DHCP host machine. The following procedure explains, at a high-level, how to configure your environment to capture file-based log messages via SFTP. LogLogic recommends using SFTP for Windows-based systems, or SCP for Unix-based systems, to securely transfer files to the LogLogic Appliance from your log source. However, you can use any of the LogLogic-supported protocols in your environment (i.e., FTP(S), HTTP(S), SCP, etc.). Note: For more information on each supported protocol, including whether a Public Key Copy is needed and what search methods (i.e., CSV, Wildcard) are available, see the LogLogic Administration Guide. a. Make sure that a destination directory (i.e., log directory) exists and is accessible on the host machine where Microsoft DHCP is installed. The destination directory should contain the original log files that Microsoft DHCP generates. b. Transfer the Microsoft DHCP log files to a separate publishing directory on the remote Host Server. You can use a script or 3rd-party software that makes a copy of or moves the log files from the destination directory (i.e., log directory) to the publishing directory. In addition, if you are using a script, you can specify the schedule for when the script runs (e.g., hourly, daily, or weekly). Microsoft DHCP Log Configuration Guide 11

12 Note: LogLogic recommends that you define a clean-up process to handle old log files that accumulate over time. 2. On the LogLogic Appliance, add Microsoft DHCP to the Appliance as a new device. For more information, see Adding Microsoft DHCP Device on page Create a file transfer rule and specify SFTP as the Protocol. For more information, see Creating File Transfer Rules on page 14. IMPORTANT! SCP and SFTP have limitations in their ability to pull a large number of files (100 or more). LogLogic recommends that you compress the files into a single file (such as.tar or tar.gz) before the files are pulled by the LogLogic Appliance. 4. File transfer rules using SFTP as the protocol require a public key copy from the LogLogic Appliance. You need to copy the Appliance s public key to the remote Host Server. For more information on public key copy, see the LogLogic Administration Guide. Automatically Identifying a Microsoft DHCP Device IMPORTANT! The Microsoft DHCP device is auto-identified when operational events are captured by Project Lasso. However, you must add the device manually if you are capturing audit events by file pull via file transfer rule. For more information, see Adding Microsoft DHCP Device on page 13. With the auto-identification feature, the LogLogic Appliance recognizes Microsoft DHCP operational log messages in Syslog format using Project Lasso. As the Syslog messages come into the Appliance, they are automatically identified and a new Microsoft DHCP device type is added to the log source device list. Default values are used for certain properties, such as the device name. To enable auto-identification in the LogLogic Appliance: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Administration > System Settings. The General tab appears. 3. For Auto-identify Log Sources, select Yes. 4. Click Update. Once the automatically identified device is added, you can edit its properties. IMPORTANT! Do not change the auto-identified Device Type and Host IP information. To edit an existing Microsoft DHCP device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click on an existing Microsoft DHCP device in the list and click Modify Device. The Modify Device tab appears. 4. Edit the device fields as needed, then click Update Device. 12 Microsoft DHCP Log Configuration Guide

13 Adding Microsoft DHCP Device IMPORTANT! You must add the Microsoft DHCP device manually if you are capturing audit events by file pull via file transfer rule. The device is auto-identified when operational events are captured by Project Lasso. For more information, see Automatically Identifying a Microsoft DHCP Device on page 12. LogLogic captures Microsoft DHCP audit log files using file pull functionality via file transfer rule. You must add the server as a new device so LogLogic can properly handle the log file data to make it available through reports and searching. Once you have successfully added the Microsoft DHCP device, you must configure file transfer rules for file collection. For more information, see Configuring the LogLogic Appliance for Data and File Collection on page 11. To add Microsoft DHCP as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 4. Type in the following information for the device: Name Name for the Microsoft DHCP device Description (optional) Description of the Microsoft DHCP device Device Type Select Microsoft DHCP from the drop-down menu Host IP IP address of the Microsoft DHCP appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. Microsoft DHCP Log Configuration Guide 13

14 Figure 2 Adding a Device to the LogLogic Appliance 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. After you add the new device, you can configure the LogLogic Appliance by setting up file transfer rules. For information on configuring the LogLogic Appliance to capture Microsoft DHCP log messages, see Configuring the LogLogic Appliance for Data and File Collection on page 11. Creating File Transfer Rules Note: Creating a file transfer rule is only required if you are capturing Microsoft DHCP audit events. After you add your Microsoft DHCP device, you can create a file transfer rule for the log files. File transfer rules enable the LogLogic Appliance to pull files from the host machine or remote Host Server publishing the Microsoft DHCP log files. LogLogic supports the following wildcards: * (asterisk),? (question mark), and [...] (open and close brackets) using directory queries. If you use wildcards, you must enable directory listing on your host machine or remote Host Server. Examples: file /foo/file, /bar/*.log /foo?/bar*/*.aud, /foo1/file1.tar.gz, /foo1/file2.z /foo[2-8]/bar*/net*.log LogLogic can pull and decompress archive files, extract individual files from the archive files, and then process the individual files. The following file types are supported:.tar.bz2,.tar.gz, tar.z,.tgz,.taz,.tar,.gz,.z,.z,.zip,.zip. For more information, see the LogLogic Administration Guide. 14 Microsoft DHCP Log Configuration Guide

15 To create a file transfer rule: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. 3. Select the File Transfer Rules tab. 4. Add a rule for the Microsoft DHCP log files you want to capture by completing the following steps: a. From the Device Type drop-down menu, select the machine where Microsoft DHCP is installed. b. From the Device drop-down menu, select the appropriate Microsoft DHCP device. Note: If you have added only one Microsoft DHCP device, the device name is automatically added. c. Click Add Rule then enter the appropriate information for the following required fields: Rule Name Name of the transfer rule (e.g., Microsoft DHCP log files) Protocol Specify the appropriate protocol (e.g., SFTP, SCP, FTP(S), etc.) Note: LogLogic recommends using a secure file transfer protocol, such as SFTP for Windows-based devices or SCP for UNIX-based devices. If you are using SFTP or SCP, you must copy the Appliance s public key to the machine where the logs are located. For more information, see Configuring the LogLogic Appliance for Data and File Collection on page 11 and the LogLogic Administration Guide. User ID Specify only if the protocol requires a User ID Password/Verify Password Specify only if required for the User ID Files Full path (after the IP address) to the Host Server where the Microsoft DHCP log files are located. For example: /publishing directory/dhcp/dhcpsrvlog* To capture all logs in a specific directory specify the asterisk (*) wildcard. For example: /publishing directory/dhcp/*.zip The server can be the host machine where the device is installed or a remote Host Server with file transfer functionality. For more information, see Configuring the LogLogic Appliance for Data and File Collection on page 11. File Format Select Microsoft DHCP Audit Log from the drop-down menu Collection Time Specify the time you want to retrieve the log file Use Advanced Duplication Detection Select the Yes radio button if you want the LogLogic Appliance to check for duplicate data while capturing the Microsoft DHCP logs. Enable Select the Yes radio button to enable the file transfer rule d. Click Add. Microsoft DHCP Log Configuration Guide 15

16 Figure 3 Add File Transfer Rule Tab Verifying the Configuration The section describes how to verify that the configuration changes made to Microsoft DHCP and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP address for each Microsoft DHCP device. 16 Microsoft DHCP Log Configuration Guide

17 If the device name (Microsoft DHCP) appears in the list of devices, then the configuration is correct. If the device does not appear in the Log Source Status tab, check the Microsoft DHCP logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Microsoft DHCP configuration, the Project Lasso configuration (for operational logs), and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Microsoft DHCP by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time Reports on page 20. If the device name appears in the list of devices but operational or audit log data for the device is not appearing within your reports, see Troubleshooting on page 23 for more information. Microsoft DHCP Log Configuration Guide 17

18 Chapter 2 How LogLogic Supports Microsoft DHCP This chapter describes LogLogic s support for Microsoft DHCP. LogLogic enables you to capture log data to monitor Microsoft DHCP events. How LogLogic Captures Microsoft DHCP Log Data Supported Microsoft DHCP Log Data LogLogic Real-Time Reports LogLogic Search Filters How LogLogic Captures Microsoft DHCP Log Data LogLogic s open source Windows Collector, Project Lasso, is used to collect Microsoft DHCP operational logs stored in Windows System Log. The operational logs are converted into text format by Project Lasso and sent to the Syslog Listener of the LogLogic Appliance via UDP or TCP. The LogLogic Appliance uses file pulling to capture Microsoft DHCP audit log messages. By default, audit logs are stored in text format under the following directory: Windows\System32\Dhcp The log files are named as DhcpSrvLog-day of week. LogLogic enables you to capture the log data in text format from a remote file system using FTP(S), HTTP(S), SCP, etc. Log files unchanged since the last pull are filtered out from collecting to eliminate duplication. File pulling maintains a record of log files identified on the database to allow conversion. All log messages are pulled from the specified path where the converted log files are stored. Note: LogLogic enables you to collect Microsoft DHCP log messages at a configurable time (e.g., every x minutes, at an hourly interval, daily at a specified time, or weekly at a specified date and time). Figure 4 on page 19 provides a deployment example for capturing Microsoft DHCP operational and audit log messages. For audit logs, an SFTP server is used as a remote Host Server in the example. If the host machine for the log source has built-in SFTP, SCP, FTP(S), HTTP(S), etc., server functionality, a remote Host Server is not a mandatory component. For more information, see Configuring the LogLogic Appliance for Data and File Collection on page 11. For operational logs, a remote Host Server with Project Lasso installed and operating in Collector Mode is used as an example. For more information, see the LogLogic Windows Collector Guide (Project Lasso). 18 Microsoft DHCP Log Configuration Guide

19 Figure 4 Microsoft DHCP, Project Lasso (Collector Mode), a remote SFTP Host Server, and the LogLogic Appliance Components and Processes Once the data is captured and parsed, you can generate reports. In addition, you can create alerts to notify you of issues on Microsoft DHCP. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Note: When a log file is transferred, each file contains a timestamp which consists of a date and time. The timestamp refers to the file creation date and time for a particular message in the file. For a listing of LogLogic supported date and time formats, see the LogLogic Administration Guide. Supported Microsoft DHCP Log Data LogLogic enables you to capture Microsoft DHCP audit and operational log data. Microsoft DHCP audit logs are comma-delimited text files with each log entry representing a single line of text. For example, an audit log file entry contains the following fields in the order presented: ID, Date, Time, Description, IP Address, Host Name, MAC Address Table 2 on page 41 lists the Microsoft DHCP audit events that are supported by the LogLogic Appliance. Microsoft DHCP related operational events are recorded in the Windows System Log. This includes, by default, major activities that potentially affect the operating system (e.g., Microsoft DHCP service startup, shutdown, errors, and change of configuration options). Table 1 on page 28 lists the Microsoft DHCP operational events that are supported by the LogLogic Appliance. Note: The LogLogic Appliance captures all messages from the Microsoft DHCP logs, but includes only specific messages for report/alert generation. For more information, see Appendix A Reference on page 27 for sample log messages for each event and event to category mapping. Microsoft DHCP Log Configuration Guide 19

20 LogLogic Real-Time Reports LogLogic provides pre-configured Real-Time Reports for Microsoft DHCP log data. The following Real-Time Reports are available: DHCP Activity Displays events related to all DHCP activity DHCP Denied Activity Displays events related to DHCP requests that were denied DHCP Granted/Renewed Activity Displays events related to DHCP requests that were granted or renewed To access LMI 5 Real-Time Reports: 1. In the top navigation pane, click Reports. 2. Click Network Activity. The following Real-Time Reports are available: DHCP Activity DHCP Denied Activity DHCP Granted/Renewed Activity You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. LogLogic Search Filters LogLogic provides pre-configured Search Filters for Microsoft DHCP log data. Search Filters are used to filter report data and create alerts. To access Search Filters: 1. From the navigation menu, select Search. 2. Select Search Filters. The following Search Filters are available: Microsoft DHCP: Audit - Change & Configuration Management Displays details for the following activities reported within the DHCP audit logs: Network Configuration Changes Privilege Change Status User Account Changes Application Configuration Changes Windows Registry Changes Microsoft DHCP: Audit - Continuity & Availability Management Displays details for the following activities reported within the DHCP audit logs: System Restarts Backup Status System Errors 20 Microsoft DHCP Log Configuration Guide

21 Microsoft DHCP: Audit - Rogue Server Detection Displays details for all activities related to rogue server detection reported within the DHCP audit logs Microsoft DHCP: Audit - Security & Threat Management Displays details for the following activities reported within the DHCP audit logs: IDS Activity Top Attacking IP Addresses Top Attacked IP Addresses Antivirus Protection Status Microsoft DHCP: Audit - System Health Displays details for all activities related to system health reported within the DHCP audit logs Microsoft DHCP: Audit Rogue DHCP Server detection Displays details for all activities related to rogue DHCP server detection and shutdown reported within the DHCP audit logs Microsoft DHCP: Operational - Backup & Restore Displays details for all activities related to backup and restore events reported within the DHCP operational logs Microsoft DHCP: Operational - Change & Configuration Management Displays details for the following activities reported within the DHCP operational logs: Network Configuration Changes Privilege Change Status User Account Changes Application Configuration Changes Windows Registry Changes Microsoft DHCP: Operational - Configuration Changes Displays details for all activities related to configuration changes reported within the DHCP operational logs Microsoft DHCP: Operational - Identity & Access Management Displays details for the following activities reported within the DHCP operational logs: Privilege Use by User Resource Access Database Data Access User Authentication Status Microsoft DHCP: Operational - Performance & Capacity Management Displays details for the following activities reported within the DHCP operational logs: System Resource Exhaustion Network Capacity Use by Application Database Table Usage Microsoft DHCP: Operational - Rogue Server Detection Displays details for all activities related to rogue DHCP server detection and shutdown reported within the DHCP operational logs Microsoft DHCP Log Configuration Guide 21

22 Microsoft DHCP: Operational - Security & Threat Management Displays details for the following activities reported within the DHCP operational logs: IDS Activity Top Attacking IP Addresses Top Attacked IP Addresses Antivirus Protection Status Microsoft DHCP: Operational - Security s Displays details for all security events reported within the DHCP operational logs Microsoft DHCP: Operational - Server Start/Stop Displays details for all activities related to server starts or stops reported within the DHCP operational logs Microsoft DHCP: Operational - System Health Displays details for all activities related to system health reported within the DHCP operational logs Microsoft DHCP: Operational Continuity & Availability Management Displays details for the following activities reported within the DHCP operational logs: System Restarts Backup Status System Errors For more information on Search Filters, reports, and alerts see the LogLogic User Guide and LogLogic Online Help. 22 Microsoft DHCP Log Configuration Guide

23 Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting information regarding the configuration and/or use of log collection for Microsoft DHCP. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Troubleshooting Frequently Asked Questions Troubleshooting Is your version of Microsoft DHCP supported? For more information, see Prerequisites on page 8. Is your LogLogic Appliance running Release 5.1 or later? If you are running an release prior to 5.1, you will require an upgrade. Contact LogLogic Support for more information. Are you running Project Lasso 4.0 or later? If you are running an release prior to 4.0, you might require an upgrade. Contact LogLogic Support for more information. Is the appropriate Log Source Package (LSP) installed properly? Check to make sure that the LSP that is installed includes support for Microsoft DHCP. Also make sure that the package was installed successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package Release Notes. If Microsoft DHCP operational events are not appearing on the LogLogic Appliance... You can verify that your log files are received by viewing the File Transfer History. You can view the history from the Administration > File Transfer History tab. Make sure that you have properly installed and configured Project Lasso, and the no errors are present in Lasso s error log (LassoTrace.log). For more information, see the LogLogic Windows Collector Guide (Project Lasso). Also make sure that the Appliance is properly auto-identifying the device. If not, then try to add the device to the Appliance manually. For more information, see Automatically Identifying a Microsoft DHCP Device on page 12 and Adding Microsoft DHCP Device on page 13. Microsoft DHCP Log Configuration Guide 23

24 If Operational events are not displaying on the LogLogic Appliance even after configuring Microsoft DHCP and Project Lasso correctly... Microsoft DHCP sends the logs, via UDP or TCP in Syslog format, to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on the Microsoft DHCP machine. For more information on supported protocols and ports, see the LogLogic Administration Guide and the LogLogic Windows Collector Guide (Project Lasso). If Microsoft DHCP audit events are not appearing on the LogLogic Appliance... You need to verify if the LogLogic Appliance is receiving the logs correctly. For more information, see Problems Retrieving Log Files Using Configured File Transfer Rules on page 24. Problems Retrieving Log Files Using Configured File Transfer Rules If you are having general problems retrieving audit log files using your configured file transfer rules, you might need to verify that your LogLogic Appliance is receiving Microsoft DHCP audit logs as scheduled. To verify that the LogLogic Appliance is receiving logs correctly: 1. Log in to the LogLogic Appliance managing the Microsoft DHCP log data. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Select the File Transfer Rules tab. The File Transfer Rules tab appears with a table displaying all of your file transfer rules. 4. Find the file-based log data entries. 5. Under the Last Successful Retrieval column, watch for a successful transfer as defined by the Collection Interval mark. 6. Under the Last Attempted Retrieval column, verify that there are no failures. 7. If the Last Attempted Retrieval value is incrementing but the Last Successful Retrieval value is not changing, then the LogLogic Appliance is not receiving logs correctly. If this problem occurs, then complete the following steps: a. Verify the path to your log files. If necessary, make appropriate changes. b. Verify your user name and password. If necessary, make appropriate changes. Alternatively, you can run an Index Search against Microsoft DHCP as follows to check log collection: 1. From the navigation menu, select Search > Index Search. 2. Specify the LogLogic Appliance as the Device Type and choose the appropriate Source Device. 3. Enter your Boolean Search query. For example: To return file collector-related logs, type engine_filecollector To return only Microsoft entries, type engine_filecollector and Microsoft Entries can be found in the /loglogic/status/filecollector_status file. 24 Microsoft DHCP Log Configuration Guide

25 Frequently Asked Questions How does the LogLogic Appliance collect logs from Microsoft DHCP? For operational log collection, an open source Windows Collector, Project Lasso, is required in order to read the.evt files from the Windows machine, convert them into text format, and forward them via Syslog using UDP or TCP to the LogLogic Appliance. The LogLogic Appliance functions as the Syslog server. For more information, see How LogLogic Captures Microsoft DHCP Log Data on page 18. What access permissions are required? To configure logging on Microsoft DHCP, the Windows user must have administrative permissions. How do I configure logging on Microsoft DHCP? For audit logs, follow the procedures on Configuring Microsoft DHCP for Audit Logging on page 8. Also make sure that you have properly configured the LogLogic Appliance for file collection. For more information, see Configuring the LogLogic Appliance for Data and File Collection on page 11. For operational logs, follow the procedures on Configuring Microsoft DHCP for Operational s on page 10. Also make sure that you have properly installed and configured Project Lasso. For more information, see Installing and Configuring Project Lasso on page 10 and the LogLogic Windows Collector Guide (Project Lasso). Microsoft DHCP Log Configuration Guide 25

26 26 Microsoft DHCP Log Configuration Guide

27 Appendix A Reference This appendix lists the LogLogic-supported Microsoft DHCP events. The Microsoft DHCP event table identifies events that can be analyzed through LogLogic reports. All sample audit log messages were captured by LogLogic s file pull functionality. All sample operational log messages were captured by LogLogic s Syslog Listener. LogLogic Support for Microsoft DHCP s The following list describes the contents of each of the columns in the tables below. ID Microsoft DHCP event identifier Agile Reports/Search Defines if the Microsoft DHCP event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. Title/Comments Description of the event Category Category of events such as Audit or Operational Type Type of event such as Success, Failure, etc. Sample Log Message Sample Microsoft DHCP log messages in text format Note: A Media Access Control (MAC) address or Globally Unique Identifier (GUID) can be present in the log as a client machine unique identifier. Microsoft DHCP Log Configuration Guide 27

28 Table 1 Microsoft DHCP Operational s ID Agile Reports /Search Title/Comments Category Type Sample Log Message Search The DHCP service is shutting down due to the following error: % Search The DHCP service encountered the following error when backing up the database: % Search The DHCP service failed to restore the database. The following error occurred: % Search The DHCP service failed to restore the DHCP registry configuration. The following error occurred: % Search Scope, %1, is %2 percent full with only %3 IP addresses remaining Search The DHCP service will now terminate because the existing database needs conversion to Windows 2000 format. The conversion via the jetconv process, has initiated. Do not reboot or stop the jetconv process. The conversion may take up to 10 minutes depending on the size of the database. Terminate DHCP now by clicking OK. This is required for the database conversion to succeed. NOTE: The DHCP service will be restarted automatically when the conversion is completed. To check conversion status, look at the Application event log for the jetconv process. Operational Error The log format for this event is supported by the LogLogic Operational Error <13>Feb 20 12:15: MSWinLog 0 System 1339 Tue Feb 20 10:01: DhcpServer Unknown User N/A Error LAB None 0000: 2d 4e N.. The DHCP service encountered the following error when backing up the database: An error occurred while accessing the DHCP database. Look at the DHCP server event log for more information on this error. 845 Operational Failure The log format for this event is supported by the LogLogic Operational Failure The log format for this event is supported by the LogLogic Operational The log format for this event is supported by the LogLogic Operational <13>Feb 13 12:30: MSWinLog 0 System Thu Feb 08 10:13: DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: The DHCP service will now terminate because the existing database needs conversion to Windows 2000 format. The conversion via the jetconv process, has initiated. Do not reboot or stop the jetconv process. The conversion may take up to 10 minutes depending on the size of the database. Terminate DHCP now by clicking OK. This is required for the database conversion to succeed. NOTE: The DHCP service will be restarted automatically when the conversion is completed. To check conversion status, look at theapplication event log for the jetconv process Microsoft DHCP Log Configuration Guide

29 ID Agile Reports /Search Title/Comments Category Type Sample Log Message Search The audit log file cannot be appended Search The audit log file could not be backed up. The following error occurred: %1 Operational <13>Feb 13 12:30: MSWinLog 0 System Thu Feb 08 10:13: DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: The audit log file cannot be appended Operational Error The log format for this event is supported by the LogLogic Search The DHCP service successfully restored the database. Operational S u c c e s s <13>Feb 13 12:30: MSWinLog 0 System Thu Feb 08 10:13: DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: The DHCP service successfully restored the database Search The DHCP service is not servicing any clients because none of the active network interfaces have statically configured IP addresses, or there are no active interfaces Search The DHCP/BINL service running on this machine has detected a server on the network. If the server does not belong to any domain, the domain is listed as empty. The IP address of the server is listed in parentheses.% Search The DHCP/BINL service on the local machine has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine belongs to a workgroup and has encountered another DHCP Server (belonging to a Windows Administrative Domain) servicing the same network. An unexpected network error occurred. Operational Error <13>Feb 13 12:30: MSWinLog 0 System Thu Feb 08 11:04: DhcpServer Unknown User N/A Error LOGLOGIC-SRV1 None 0000: The DHCP service is not servicing any clients because none of the active network interfaces have statically configured IP addresses, or there are no active interfaces Operational <13>Feb 13 12:30: MSWinLog 0 System Thu Feb 08 10:13: DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: The DHCP/BINL service running on this machine has detected a server on the network. If the server does not belong to any domain, the domain is listed as empty. The IP address of the server is listed in parentheses { } O p e r a t i o n a l F a i l u r e < 1 3 > F e b : 2 8 : M S W i n E v e n t L o g 0 S y s t e m 1099 Fri Feb 16 17:25: DhcpServer Unknown User DHCP/BINL service on the local machine has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine belongs to a workgroup and has encountered another DHCP Server (belonging to a Windows Administrative Domain) servicing the same network. An unexpected network error occurred. 381 Microsoft DHCP Log Configuration Guide 29

30 ID Agile Reports /Search Title/Comments Category Type Sample Log Message Search The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain %2, has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine is part of a directory service enterprise and is not authorized in the same domain. (See help on the DHCP Service Management Tool for additional information). This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized. Some unexpected network error occurred Search The DHCP/BINL service has determined that it is not authorized to service clients on this network for the Windows domain: %2. All DHCP services that belong to a directory service enterprise must be authorized in the directory service to service clients. (See help on the DHCP Service Management Tool for authorizing a DHCP server in the directory service) Search The DHCP/BINL service on this workgroup server has encountered another server with IP Address, %1, belonging to the domain % Search The DHCP/BINL service on this computer running Windows Server 2003, 2008 for Small Business Server has encountered another server on this network with IP Address, %1, belonging to the domain: %2. O p e r a t i o n a l F a i l u r e < 1 3 > F e b : 2 8 : M S W i n E v e n t L o g 0 S y s t e m 1099 Fri Feb 16 17:25: DhcpServer Unknown User DHCP/BINL service on the local machine, belonging to the Windows Administrative domain loglog.com, has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine is part of a directory service enterprise and is not authorized in the same domain. (See help on the DHCP Service Management Tool for additional information). This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized. Some unexpected network error occurred. 381 Operational Failure <13>Feb 16 17:28: MSWinLog 0 System 1099 Fri Feb 16 17:25: DhcpServer Unknown User DHCP/BINL service has determined that it is not authorized to service clients on this network for the Windows domain: DNSDHCP.com. All DHCP services that belong to a directory service enterprise must be authorized in the directory service to service clients. 381 Operational <13>Feb 16 17:28: MSWinLog 0 System 1099 Fri Feb 16 17:25: DhcpServer Unknown User DHCP/BINL service on this workgroup server has encountered another server with IP Address, , belonging to the domain DNSDHCP.com. 381 Operational <13>Feb 16 17:28: MSWinLog 0 System 1099 Fri Feb 16 17:25: DhcpServer Unknown User DHCP/BINL service on this computer running Windows Server 2003, 2008 for Small Business Server has encountered another server on this network with IP Address, ,34, belonging to the domain: DNSDHCP.com Microsoft DHCP Log Configuration Guide