LogLogic Microsoft Dynamic Host Configuration Protocol (DHCP) Log Configuration Guide

LogLogic Microsoft Dynamic Host Configuration Protocol (DHCP) Log Configuration Guide Document Release: September 2011 Part Number: LL600026-00ELS090000 This manual supports LogLogic Microsoft DHCP Release 1.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.

2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA 95134 Tel: +1 408 215 5900 Fax: +1 408 774 1752 U.S. Toll Free: 888 347 3883 http://www.loglogic.com

Contents Preface About This Guide........................................................5 Technical Support........................................................5 Documentation Support.................................................... 5 Conventions............................................................. 6 Chapter 1 Configuring LogLogic s Microsoft DHCP Log Collection Introduction to Microsoft DHCP.............................................. 7 Prerequisites............................................................ 8 Configuring Microsoft DHCP for Audit Logging.................................. 8 Changing the Path of the Audit Log File.................................... 9 Audit Log File Rotation Policy........................................... 10 Configuring Microsoft DHCP for Operational s............................. 10 Installing and Configuring Project Lasso................................... 10 Enabling the LogLogic Appliance to Capture Log Data........................... 11 Configuring the LogLogic Appliance for Data and File Collection................ 11 Automatically Identifying a Microsoft DHCP Device.......................... 12 Adding Microsoft DHCP Device.......................................... 13 Creating File Transfer Rules............................................ 14 Verifying the Configuration................................................ 16 Chapter 2 How LogLogic Supports Microsoft DHCP How LogLogic Captures Microsoft DHCP Log Data............................. 18 Supported Microsoft DHCP Log Data........................................ 19 LogLogic Real-Time Reports............................................... 20 LogLogic Search Filters................................................... 20 Chapter 3 Troubleshooting and FAQ Troubleshooting......................................................... 23 Problems Retrieving Log Files Using Configured File Transfer Rules............. 24 Frequently Asked Questions............................................... 25 Appendix A Reference LogLogic Support for Microsoft DHCP s................................. 27 Microsoft DHCP Log Configuration Guide 3

4 Microsoft DHCP Log Configuration Guide

Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Microsoft Dynamic Host Configuration Protocol (DHCP) enables LogLogic Appliances to capture logs from machines running Microsoft DHCP. Once the logs are captured and parsed, you can generate reports and create alerts on Microsoft DHCP s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free 1-800-957-LOGS Local 1-408-834-7480 EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: support@loglogic.com You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. When contacting Customer Support, be prepared to provide: Your name, email address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send e-mail to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Microsoft DHCP Log Configuration Guide 5

Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Microsoft DHCP Log Configuration Guide

Chapter 1 Configuring LogLogic s Microsoft DHCP Log Collection This chapter describes configuration steps that enable a LogLogic Appliance to capture Microsoft DHCP logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Microsoft DHCP log data. Introduction to Microsoft DHCP............................................... 7 Prerequisites............................................................. 8 Configuring Microsoft DHCP for Audit Logging................................... 8 Configuring Microsoft DHCP for Operational s.............................. 10 Enabling the LogLogic Appliance to Capture Log Data............................ 11 Verifying the Configuration.................................................. 16 Introduction to Microsoft DHCP The LogLogic Appliance enables you to capture Microsoft DHCP audit and operational log data. Audit log events can capture critical information about Microsoft DHCP server that is essential to meet compliance requirements. For example, Microsoft DHCP provides options to audit server startup, shutdown, and restart status. It also gives information related to the server s authorization status with Active Directory and records lease, renew, and update actions with the Domain Name System (DNS) database. Operational log event information is posted in Windows System logs. These logs contain information related to DHCP server configuration changes and its status information. Note: LogLogic support is limited to Windows Server 2003, 2008 events. For more information, see Supported Microsoft DHCP Log Data on page 19. Microsoft DHCP audit logs are captured via file pull using a file transfer rule. Microsoft DHCP operational logs are captured by LogLogic s open source Windows Collector, Project Lasso. The Windows Collector can run in one of the following modes, Agent Mode, Collector Mode, or both (i.e., a hybrid mode). Regardless of the mode used, all collected operational logs are forwarded to the LogLogic Appliance using Syslog via UDP or TCP. The configuration procedures for Microsoft DHCP and the LogLogic Appliance depend upon your environment, what logs you want to capture, and how the Windows Collector is configured (if applicable). For more information, see How LogLogic Captures Microsoft DHCP Log Data on page 18 and the LogLogic Windows Collector Guide (Project Lasso). Microsoft DHCP Log Configuration Guide 7

Prerequisites Prior to configuring Microsoft DHCP and the LogLogic Appliance, ensure that you meet the following prerequisites: Microsoft DHCP Service installed on Windows Server 2003, 2008 with SP1 or SP3 Administrative access on the DHCP server For operational logs: Project Lasso Release 4.0 or later installed on the DHCP server. For more information, see the LogLogic Windows Collector Guide (Project Lasso). For audit logs: 3rd-party FTP, FTP(S), HTTP(S), CIFS, SCP, and/or SFTP server software installed for any platform that does not have these capabilities by default. For more information, see Configuring the LogLogic Appliance for Data and File Collection on page 11. LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Microsoft DHCP Server support Administrative access on LogLogic Appliance Configuring Microsoft DHCP for Audit Logging Audit logging is configured by default on a Microsoft DHCP server. Make sure that your configuration matches the one described in the following steps. To enable Microsoft DHCP server logging: 1. Log in to the Microsoft DHCP server. 2. From the Windows Start menu, select Settings > Control Panel. 3. Double-click Administrative Tools. 4. Double-click DHCP. The DHCP console appears. 5. Expand the tree on the left, and select the applicable DHCP server from the list. 6. On the Action menu, click Properties. 7. On the General tab, select the Enable DHCP audit logging checkbox. 8. Click OK. 8 Microsoft DHCP Log Configuration Guide

Figure 1 DHCP Console Changing the Path of the Audit Log File Only the directory path in which the Microsoft DHCP server stores audit log files can be modified using the DHCP console, and not the filename. The DHCP server service bases the name of the audit log file on the current day of the week, as determined by checking the current date and time at the server. For example, when the DHCP server starts, if the current date and time is: Monday, April 7, 2011, 04:56:42 P.M. Then the server audit log file is nameddhcpsrvlog-mon. To change the path of the audit log file: 1. Log in to the Microsoft DHCP server. 2. From the Windows Start menu, select Settings > Control Panel. 3. Double-click Administrative Tools. 4. Double-click DHCP. The DHCP console appears. 5. Expand the tree on the left, and select the applicable DHCP server from the list. Microsoft DHCP Log Configuration Guide 9

6. On the Action menu, click Properties. 7. Click the Advanced tab. 8. Edit Audit log file path as necessary and click OK. Audit Log File Rotation Policy Microsoft DHCP server rotates the files based on days. By default, at 12:00 a.m. local time on the server machine, the DHCP server closes the existing log and moves it to the log file for the next day of the week. For example, if the day of the week changes at 12:00 a.m. from Wednesday to Thursday, the log file named DhcpSrvLog-Wed is closed and the file named DhcpSrvLog-Thu is opened and used for logging events. If the disk is full, the DHCP server closes the current file and ignores further requests to log audit events until either 12:00 a.m. or until the disk is no longer full. The disk is considered full if either of the following conditions is true: Disk space on the server machine is lower than the required minimum amount for DHCP audit logging. By default, if the amount of disk space remaining on the server disk reaches less than 20 MegaBytes (MB), audit logging is halted. The current audit log file is larger than one-seventh of the size for the combined total of all audit logs currently stored on the server. Configuring Microsoft DHCP for Operational s Microsoft DHCP server operational events are posted in the Windows Viewer. The events are located in the System logs under the DHCP server with DHCP as the source. These events can be captured by LogLogic Appliance using Project Lasso. Installing and Configuring Project Lasso The Microsoft DHCP logs are collected and transported using Project Lasso. Project Lasso is used to collect and transfer Windows logs to the LogLogic Appliance. By default, the Project Lasso program directory is located at: C:\Program Files\Lasso Project Lasso spools log messages if the connection to the Appliance is temporarily lost. By default, the following directory contains all spooled log messages: C:\Program Files\Lasso\LassoRepository\Spool You can change the host machine and event log identification information by editing the hostlist.ini configuration file in Project Lasso. You can change the spool log location and other Lasso monitoring parameters by editing the Lasso.ini file. For the complete installation and configuration procedures for Project Lasso, including information on the Lasso.ini and hostlist.ini files, see the LogLogic Windows Collector Guide (Project Lasso). 10 Microsoft DHCP Log Configuration Guide

Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture Microsoft DHCP log data. Configuring the LogLogic Appliance for Data and File Collection The LogLogic Appliance recognizes Microsoft DHCP operational events in Syslog format via the Syslog Listener. The Appliance captures Microsoft DHCP audit events using file pull functionality via a file transfer rule. The deployment method you use to collect Microsoft DHCP file-based data depends on what events you want to capture. Microsoft DHCP Data Collection for Operational s If you are trying to capture operational event data, you need to use the following deployment method for file collection: 1. Properly configure Microsoft DHCP to generate operational events (see Configuring Microsoft DHCP for Operational s on page 10). 2. Properly configure Project Lasso on a remote Host Server (see Installing and Configuring Project Lasso on page 10). 3. On the LogLogic Appliance, make sure that the Microsoft DHCP device was correctly auto-identified. For more information, see Automatically Identifying a Microsoft DHCP Device on page 12. Microsoft DHCP File Collection for Audit s If you are trying to capture audit event data, you need to use the following deployment method for file collection: 1. Configure a remote Host Server with file transfer capability to capture log files from the Microsoft DHCP host machine. The following procedure explains, at a high-level, how to configure your environment to capture file-based log messages via SFTP. LogLogic recommends using SFTP for Windows-based systems, or SCP for Unix-based systems, to securely transfer files to the LogLogic Appliance from your log source. However, you can use any of the LogLogic-supported protocols in your environment (i.e., FTP(S), HTTP(S), SCP, etc.). Note: For more information on each supported protocol, including whether a Public Key Copy is needed and what search methods (i.e., CSV, Wildcard) are available, see the LogLogic Administration Guide. a. Make sure that a destination directory (i.e., log directory) exists and is accessible on the host machine where Microsoft DHCP is installed. The destination directory should contain the original log files that Microsoft DHCP generates. b. Transfer the Microsoft DHCP log files to a separate publishing directory on the remote Host Server. You can use a script or 3rd-party software that makes a copy of or moves the log files from the destination directory (i.e., log directory) to the publishing directory. In addition, if you are using a script, you can specify the schedule for when the script runs (e.g., hourly, daily, or weekly). Microsoft DHCP Log Configuration Guide 11

Note: LogLogic recommends that you define a clean-up process to handle old log files that accumulate over time. 2. On the LogLogic Appliance, add Microsoft DHCP to the Appliance as a new device. For more information, see Adding Microsoft DHCP Device on page 13. 3. Create a file transfer rule and specify SFTP as the Protocol. For more information, see Creating File Transfer Rules on page 14. IMPORTANT! SCP and SFTP have limitations in their ability to pull a large number of files (100 or more). LogLogic recommends that you compress the files into a single file (such as.tar or tar.gz) before the files are pulled by the LogLogic Appliance. 4. File transfer rules using SFTP as the protocol require a public key copy from the LogLogic Appliance. You need to copy the Appliance s public key to the remote Host Server. For more information on public key copy, see the LogLogic Administration Guide. Automatically Identifying a Microsoft DHCP Device IMPORTANT! The Microsoft DHCP device is auto-identified when operational events are captured by Project Lasso. However, you must add the device manually if you are capturing audit events by file pull via file transfer rule. For more information, see Adding Microsoft DHCP Device on page 13. With the auto-identification feature, the LogLogic Appliance recognizes Microsoft DHCP operational log messages in Syslog format using Project Lasso. As the Syslog messages come into the Appliance, they are automatically identified and a new Microsoft DHCP device type is added to the log source device list. Default values are used for certain properties, such as the device name. To enable auto-identification in the LogLogic Appliance: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Administration > System Settings. The General tab appears. 3. For Auto-identify Log Sources, select Yes. 4. Click Update. Once the automatically identified device is added, you can edit its properties. IMPORTANT! Do not change the auto-identified Device Type and Host IP information. To edit an existing Microsoft DHCP device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click on an existing Microsoft DHCP device in the list and click Modify Device. The Modify Device tab appears. 4. Edit the device fields as needed, then click Update Device. 12 Microsoft DHCP Log Configuration Guide

Adding Microsoft DHCP Device IMPORTANT! You must add the Microsoft DHCP device manually if you are capturing audit events by file pull via file transfer rule. The device is auto-identified when operational events are captured by Project Lasso. For more information, see Automatically Identifying a Microsoft DHCP Device on page 12. LogLogic captures Microsoft DHCP audit log files using file pull functionality via file transfer rule. You must add the server as a new device so LogLogic can properly handle the log file data to make it available through reports and searching. Once you have successfully added the Microsoft DHCP device, you must configure file transfer rules for file collection. For more information, see Configuring the LogLogic Appliance for Data and File Collection on page 11. To add Microsoft DHCP as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 4. Type in the following information for the device: Name Name for the Microsoft DHCP device Description (optional) Description of the Microsoft DHCP device Device Type Select Microsoft DHCP from the drop-down menu Host IP IP address of the Microsoft DHCP appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. Microsoft DHCP Log Configuration Guide 13

Figure 2 Adding a Device to the LogLogic Appliance 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. After you add the new device, you can configure the LogLogic Appliance by setting up file transfer rules. For information on configuring the LogLogic Appliance to capture Microsoft DHCP log messages, see Configuring the LogLogic Appliance for Data and File Collection on page 11. Creating File Transfer Rules Note: Creating a file transfer rule is only required if you are capturing Microsoft DHCP audit events. After you add your Microsoft DHCP device, you can create a file transfer rule for the log files. File transfer rules enable the LogLogic Appliance to pull files from the host machine or remote Host Server publishing the Microsoft DHCP log files. LogLogic supports the following wildcards: * (asterisk),? (question mark), and [...] (open and close brackets) using directory queries. If you use wildcards, you must enable directory listing on your host machine or remote Host Server. Examples: file /foo/file, /bar/*.log /foo?/bar*/*.aud, /foo1/file1.tar.gz, /foo1/file2.z /foo[2-8]/bar*/net*.log LogLogic can pull and decompress archive files, extract individual files from the archive files, and then process the individual files. The following file types are supported:.tar.bz2,.tar.gz, tar.z,.tgz,.taz,.tar,.gz,.z,.z,.zip,.zip. For more information, see the LogLogic Administration Guide. 14 Microsoft DHCP Log Configuration Guide

To create a file transfer rule: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. 3. Select the File Transfer Rules tab. 4. Add a rule for the Microsoft DHCP log files you want to capture by completing the following steps: a. From the Device Type drop-down menu, select the machine where Microsoft DHCP is installed. b. From the Device drop-down menu, select the appropriate Microsoft DHCP device. Note: If you have added only one Microsoft DHCP device, the device name is automatically added. c. Click Add Rule then enter the appropriate information for the following required fields: Rule Name Name of the transfer rule (e.g., Microsoft DHCP log files) Protocol Specify the appropriate protocol (e.g., SFTP, SCP, FTP(S), etc.) Note: LogLogic recommends using a secure file transfer protocol, such as SFTP for Windows-based devices or SCP for UNIX-based devices. If you are using SFTP or SCP, you must copy the Appliance s public key to the machine where the logs are located. For more information, see Configuring the LogLogic Appliance for Data and File Collection on page 11 and the LogLogic Administration Guide. User ID Specify only if the protocol requires a User ID Password/Verify Password Specify only if required for the User ID Files Full path (after the IP address) to the Host Server where the Microsoft DHCP log files are located. For example: /publishing directory/dhcp/dhcpsrvlog* To capture all logs in a specific directory specify the asterisk (*) wildcard. For example: /publishing directory/dhcp/*.zip The server can be the host machine where the device is installed or a remote Host Server with file transfer functionality. For more information, see Configuring the LogLogic Appliance for Data and File Collection on page 11. File Format Select Microsoft DHCP Audit Log from the drop-down menu Collection Time Specify the time you want to retrieve the log file Use Advanced Duplication Detection Select the Yes radio button if you want the LogLogic Appliance to check for duplicate data while capturing the Microsoft DHCP logs. Enable Select the Yes radio button to enable the file transfer rule d. Click Add. Microsoft DHCP Log Configuration Guide 15

Figure 3 Add File Transfer Rule Tab Verifying the Configuration The section describes how to verify that the configuration changes made to Microsoft DHCP and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP address for each Microsoft DHCP device. 16 Microsoft DHCP Log Configuration Guide

If the device name (Microsoft DHCP) appears in the list of devices, then the configuration is correct. If the device does not appear in the Log Source Status tab, check the Microsoft DHCP logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Microsoft DHCP configuration, the Project Lasso configuration (for operational logs), and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Microsoft DHCP by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time Reports on page 20. If the device name appears in the list of devices but operational or audit log data for the device is not appearing within your reports, see Troubleshooting on page 23 for more information. Microsoft DHCP Log Configuration Guide 17

Chapter 2 How LogLogic Supports Microsoft DHCP This chapter describes LogLogic s support for Microsoft DHCP. LogLogic enables you to capture log data to monitor Microsoft DHCP events. How LogLogic Captures Microsoft DHCP Log Data.............................. 18 Supported Microsoft DHCP Log Data......................................... 19 LogLogic Real-Time Reports................................................ 20 LogLogic Search Filters.................................................... 20 How LogLogic Captures Microsoft DHCP Log Data LogLogic s open source Windows Collector, Project Lasso, is used to collect Microsoft DHCP operational logs stored in Windows System Log. The operational logs are converted into text format by Project Lasso and sent to the Syslog Listener of the LogLogic Appliance via UDP or TCP. The LogLogic Appliance uses file pulling to capture Microsoft DHCP audit log messages. By default, audit logs are stored in text format under the following directory: Windows\System32\Dhcp The log files are named as DhcpSrvLog-day of week. LogLogic enables you to capture the log data in text format from a remote file system using FTP(S), HTTP(S), SCP, etc. Log files unchanged since the last pull are filtered out from collecting to eliminate duplication. File pulling maintains a record of log files identified on the database to allow conversion. All log messages are pulled from the specified path where the converted log files are stored. Note: LogLogic enables you to collect Microsoft DHCP log messages at a configurable time (e.g., every x minutes, at an hourly interval, daily at a specified time, or weekly at a specified date and time). Figure 4 on page 19 provides a deployment example for capturing Microsoft DHCP operational and audit log messages. For audit logs, an SFTP server is used as a remote Host Server in the example. If the host machine for the log source has built-in SFTP, SCP, FTP(S), HTTP(S), etc., server functionality, a remote Host Server is not a mandatory component. For more information, see Configuring the LogLogic Appliance for Data and File Collection on page 11. For operational logs, a remote Host Server with Project Lasso installed and operating in Collector Mode is used as an example. For more information, see the LogLogic Windows Collector Guide (Project Lasso). 18 Microsoft DHCP Log Configuration Guide

Figure 4 Microsoft DHCP, Project Lasso (Collector Mode), a remote SFTP Host Server, and the LogLogic Appliance Components and Processes Once the data is captured and parsed, you can generate reports. In addition, you can create alerts to notify you of issues on Microsoft DHCP. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Note: When a log file is transferred, each file contains a timestamp which consists of a date and time. The timestamp refers to the file creation date and time for a particular message in the file. For a listing of LogLogic supported date and time formats, see the LogLogic Administration Guide. Supported Microsoft DHCP Log Data LogLogic enables you to capture Microsoft DHCP audit and operational log data. Microsoft DHCP audit logs are comma-delimited text files with each log entry representing a single line of text. For example, an audit log file entry contains the following fields in the order presented: ID, Date, Time, Description, IP Address, Host Name, MAC Address Table 2 on page 41 lists the Microsoft DHCP audit events that are supported by the LogLogic Appliance. Microsoft DHCP related operational events are recorded in the Windows System Log. This includes, by default, major activities that potentially affect the operating system (e.g., Microsoft DHCP service startup, shutdown, errors, and change of configuration options). Table 1 on page 28 lists the Microsoft DHCP operational events that are supported by the LogLogic Appliance. Note: The LogLogic Appliance captures all messages from the Microsoft DHCP logs, but includes only specific messages for report/alert generation. For more information, see Appendix A Reference on page 27 for sample log messages for each event and event to category mapping. Microsoft DHCP Log Configuration Guide 19

LogLogic Real-Time Reports LogLogic provides pre-configured Real-Time Reports for Microsoft DHCP log data. The following Real-Time Reports are available: DHCP Activity Displays events related to all DHCP activity DHCP Denied Activity Displays events related to DHCP requests that were denied DHCP Granted/Renewed Activity Displays events related to DHCP requests that were granted or renewed To access LMI 5 Real-Time Reports: 1. In the top navigation pane, click Reports. 2. Click Network Activity. The following Real-Time Reports are available: DHCP Activity DHCP Denied Activity DHCP Granted/Renewed Activity You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. LogLogic Search Filters LogLogic provides pre-configured Search Filters for Microsoft DHCP log data. Search Filters are used to filter report data and create alerts. To access Search Filters: 1. From the navigation menu, select Search. 2. Select Search Filters. The following Search Filters are available: Microsoft DHCP: Audit - Change & Configuration Management Displays details for the following activities reported within the DHCP audit logs: Network Configuration Changes Privilege Change Status User Account Changes Application Configuration Changes Windows Registry Changes Microsoft DHCP: Audit - Continuity & Availability Management Displays details for the following activities reported within the DHCP audit logs: System Restarts Backup Status System Errors 20 Microsoft DHCP Log Configuration Guide

Microsoft DHCP: Audit - Rogue Server Detection Displays details for all activities related to rogue server detection reported within the DHCP audit logs Microsoft DHCP: Audit - Security & Threat Management Displays details for the following activities reported within the DHCP audit logs: IDS Activity Top Attacking IP Addresses Top Attacked IP Addresses Antivirus Protection Status Microsoft DHCP: Audit - System Health Displays details for all activities related to system health reported within the DHCP audit logs Microsoft DHCP: Audit Rogue DHCP Server detection Displays details for all activities related to rogue DHCP server detection and shutdown reported within the DHCP audit logs Microsoft DHCP: Operational - Backup & Restore Displays details for all activities related to backup and restore events reported within the DHCP operational logs Microsoft DHCP: Operational - Change & Configuration Management Displays details for the following activities reported within the DHCP operational logs: Network Configuration Changes Privilege Change Status User Account Changes Application Configuration Changes Windows Registry Changes Microsoft DHCP: Operational - Configuration Changes Displays details for all activities related to configuration changes reported within the DHCP operational logs Microsoft DHCP: Operational - Identity & Access Management Displays details for the following activities reported within the DHCP operational logs: Privilege Use by User Resource Access Database Data Access User Authentication Status Microsoft DHCP: Operational - Performance & Capacity Management Displays details for the following activities reported within the DHCP operational logs: System Resource Exhaustion Network Capacity Use by Application Database Table Usage Microsoft DHCP: Operational - Rogue Server Detection Displays details for all activities related to rogue DHCP server detection and shutdown reported within the DHCP operational logs Microsoft DHCP Log Configuration Guide 21

Microsoft DHCP: Operational - Security & Threat Management Displays details for the following activities reported within the DHCP operational logs: IDS Activity Top Attacking IP Addresses Top Attacked IP Addresses Antivirus Protection Status Microsoft DHCP: Operational - Security s Displays details for all security events reported within the DHCP operational logs Microsoft DHCP: Operational - Server Start/Stop Displays details for all activities related to server starts or stops reported within the DHCP operational logs Microsoft DHCP: Operational - System Health Displays details for all activities related to system health reported within the DHCP operational logs Microsoft DHCP: Operational Continuity & Availability Management Displays details for the following activities reported within the DHCP operational logs: System Restarts Backup Status System Errors For more information on Search Filters, reports, and alerts see the LogLogic User Guide and LogLogic Online Help. 22 Microsoft DHCP Log Configuration Guide

Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting information regarding the configuration and/or use of log collection for Microsoft DHCP. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Troubleshooting.......................................................... 23 Frequently Asked Questions................................................ 25 Troubleshooting Is your version of Microsoft DHCP supported? For more information, see Prerequisites on page 8. Is your LogLogic Appliance running Release 5.1 or later? If you are running an release prior to 5.1, you will require an upgrade. Contact LogLogic Support for more information. Are you running Project Lasso 4.0 or later? If you are running an release prior to 4.0, you might require an upgrade. Contact LogLogic Support for more information. Is the appropriate Log Source Package (LSP) installed properly? Check to make sure that the LSP that is installed includes support for Microsoft DHCP. Also make sure that the package was installed successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package Release Notes. If Microsoft DHCP operational events are not appearing on the LogLogic Appliance... You can verify that your log files are received by viewing the File Transfer History. You can view the history from the Administration > File Transfer History tab. Make sure that you have properly installed and configured Project Lasso, and the no errors are present in Lasso s error log (LassoTrace.log). For more information, see the LogLogic Windows Collector Guide (Project Lasso). Also make sure that the Appliance is properly auto-identifying the device. If not, then try to add the device to the Appliance manually. For more information, see Automatically Identifying a Microsoft DHCP Device on page 12 and Adding Microsoft DHCP Device on page 13. Microsoft DHCP Log Configuration Guide 23

If Operational events are not displaying on the LogLogic Appliance even after configuring Microsoft DHCP and Project Lasso correctly... Microsoft DHCP sends the logs, via UDP or TCP in Syslog format, to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on the Microsoft DHCP machine. For more information on supported protocols and ports, see the LogLogic Administration Guide and the LogLogic Windows Collector Guide (Project Lasso). If Microsoft DHCP audit events are not appearing on the LogLogic Appliance... You need to verify if the LogLogic Appliance is receiving the logs correctly. For more information, see Problems Retrieving Log Files Using Configured File Transfer Rules on page 24. Problems Retrieving Log Files Using Configured File Transfer Rules If you are having general problems retrieving audit log files using your configured file transfer rules, you might need to verify that your LogLogic Appliance is receiving Microsoft DHCP audit logs as scheduled. To verify that the LogLogic Appliance is receiving logs correctly: 1. Log in to the LogLogic Appliance managing the Microsoft DHCP log data. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Select the File Transfer Rules tab. The File Transfer Rules tab appears with a table displaying all of your file transfer rules. 4. Find the file-based log data entries. 5. Under the Last Successful Retrieval column, watch for a successful transfer as defined by the Collection Interval mark. 6. Under the Last Attempted Retrieval column, verify that there are no failures. 7. If the Last Attempted Retrieval value is incrementing but the Last Successful Retrieval value is not changing, then the LogLogic Appliance is not receiving logs correctly. If this problem occurs, then complete the following steps: a. Verify the path to your log files. If necessary, make appropriate changes. b. Verify your user name and password. If necessary, make appropriate changes. Alternatively, you can run an Index Search against Microsoft DHCP as follows to check log collection: 1. From the navigation menu, select Search > Index Search. 2. Specify the LogLogic Appliance as the Device Type and choose the appropriate Source Device. 3. Enter your Boolean Search query. For example: To return file collector-related logs, type engine_filecollector To return only Microsoft entries, type engine_filecollector and Microsoft Entries can be found in the /loglogic/status/filecollector_status file. 24 Microsoft DHCP Log Configuration Guide

Frequently Asked Questions How does the LogLogic Appliance collect logs from Microsoft DHCP? For operational log collection, an open source Windows Collector, Project Lasso, is required in order to read the.evt files from the Windows machine, convert them into text format, and forward them via Syslog using UDP or TCP to the LogLogic Appliance. The LogLogic Appliance functions as the Syslog server. For more information, see How LogLogic Captures Microsoft DHCP Log Data on page 18. What access permissions are required? To configure logging on Microsoft DHCP, the Windows user must have administrative permissions. How do I configure logging on Microsoft DHCP? For audit logs, follow the procedures on Configuring Microsoft DHCP for Audit Logging on page 8. Also make sure that you have properly configured the LogLogic Appliance for file collection. For more information, see Configuring the LogLogic Appliance for Data and File Collection on page 11. For operational logs, follow the procedures on Configuring Microsoft DHCP for Operational s on page 10. Also make sure that you have properly installed and configured Project Lasso. For more information, see Installing and Configuring Project Lasso on page 10 and the LogLogic Windows Collector Guide (Project Lasso). Microsoft DHCP Log Configuration Guide 25

26 Microsoft DHCP Log Configuration Guide

Appendix A Reference This appendix lists the LogLogic-supported Microsoft DHCP events. The Microsoft DHCP event table identifies events that can be analyzed through LogLogic reports. All sample audit log messages were captured by LogLogic s file pull functionality. All sample operational log messages were captured by LogLogic s Syslog Listener. LogLogic Support for Microsoft DHCP s The following list describes the contents of each of the columns in the tables below. ID Microsoft DHCP event identifier Agile Reports/Search Defines if the Microsoft DHCP event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. Title/Comments Description of the event Category Category of events such as Audit or Operational Type Type of event such as Success, Failure, etc. Sample Log Message Sample Microsoft DHCP log messages in text format Note: A Media Access Control (MAC) address or Globally Unique Identifier (GUID) can be present in the log as a client machine unique identifier. Microsoft DHCP Log Configuration Guide 27

Table 1 Microsoft DHCP Operational s ID Agile Reports /Search Title/Comments Category Type Sample Log Message 1 1008 Search The DHCP service is shutting down due to the following error: %1 2 1016 Search The DHCP service encountered the following error when backing up the database: %1 3 1018 Search The DHCP service failed to restore the database. The following error occurred: %1 4 1019 Search The DHCP service failed to restore the DHCP registry configuration. The following error occurred: %1 5 1020 Search Scope, %1, is %2 percent full with only %3 IP addresses remaining. 6 1023 Search The DHCP service will now terminate because the existing database needs conversion to Windows 2000 format. The conversion via the jetconv process, has initiated. Do not reboot or stop the jetconv process. The conversion may take up to 10 minutes depending on the size of the database. Terminate DHCP now by clicking OK. This is required for the database conversion to succeed. NOTE: The DHCP service will be restarted automatically when the conversion is completed. To check conversion status, look at the Application event log for the jetconv process. Operational Error The log format for this event is supported by the LogLogic Operational Error <13>Feb 20 12:15:47 10.116.28.200 MSWinLog 0 System 1339 Tue Feb 20 10:01:30 2007 1016 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 2d 4e 00 00 -N.. The DHCP service encountered the following error when backing up the database: An error occurred while accessing the DHCP database. Look at the DHCP server event log for more information on this error. 845 Operational Failure The log format for this event is supported by the LogLogic Operational Failure The log format for this event is supported by the LogLogic Operational The log format for this event is supported by the LogLogic Operational <13>Feb 13 12:30:52 10.116.28.102 MSWinLog 0 System 10264 Thu Feb 08 10:13:43 2007 1023 DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: 00 00 00 00... The DHCP service will now terminate because the existing database needs conversion to Windows 2000 format. The conversion via the jetconv process, has initiated. Do not reboot or stop the jetconv process. The conversion may take up to 10 minutes depending on the size of the database. Terminate DHCP now by clicking OK. This is required for the database conversion to succeed. NOTE: The DHCP service will be restarted automatically when the conversion is completed. To check conversion status, look at theapplication event log for the jetconv process.. 10264 28 Microsoft DHCP Log Configuration Guide

ID Agile Reports /Search Title/Comments Category Type Sample Log Message 7 1027 Search The audit log file cannot be appended. 8 1030 Search The audit log file could not be backed up. The following error occurred: %1 Operational <13>Feb 13 12:30:52 10.116.28.102 MSWinLog 0 System 10264 Thu Feb 08 10:13:43 2007 1027 DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: 00 00 00 00... The audit log file cannot be appended.. 10264 Operational Error The log format for this event is supported by the LogLogic 9 1040 Search The DHCP service successfully restored the database. Operational S u c c e s s <13>Feb 13 12:30:52 10.116.28.102 MSWinLog 0 System 10264 Thu Feb 08 10:13:43 2007 1040 DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: 00 00 00 00... The DHCP service successfully restored the database. 10264 10 1041 Search The DHCP service is not servicing any clients because none of the active network interfaces have statically configured IP addresses, or there are no active interfaces. 11 1042 Search The DHCP/BINL service running on this machine has detected a server on the network. If the server does not belong to any domain, the domain is listed as empty. The IP address of the server is listed in parentheses.%1 12 1045 Search The DHCP/BINL service on the local machine has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine belongs to a workgroup and has encountered another DHCP Server (belonging to a Windows Administrative Domain) servicing the same network. An unexpected network error occurred. Operational Error <13>Feb 13 12:30:52 10.116.28.102 MSWinLog 0 System 10284 Thu Feb 08 11:04:57 2007 1041 DhcpServer Unknown User N/A Error LOGLOGIC-SRV1 None 0000: 00 00 00 00... The DHCP service is not servicing any clients because none of the active network interfaces have statically configured IP addresses, or there are no active interfaces. 10284 Operational <13>Feb 13 12:30:52 10.116.28.102 MSWinLog 0 System 10264 Thu Feb 08 10:13:43 2007 1040 DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: 00 00 00 00... The DHCP/BINL service running on this machine has detected a server on the network. If the server does not belong to any domain, the domain is listed as empty. The IP address of the server is listed in parentheses {10.116.28.94}. 10264 O p e r a t i o n a l F a i l u r e < 1 3 > F e b 1 6 1 7 : 2 8 : 1 6 1 0. 11 6. 2 8. 2 0 0 M S W i n E v e n t L o g 0 S y s t e m 1099 Fri Feb 16 17:25:23 2007 1045 DhcpServer Unknown User DHCP/BINL service on the local machine has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine belongs to a workgroup and has encountered another DHCP Server (belonging to a Windows Administrative Domain) servicing the same network. An unexpected network error occurred. 381 Microsoft DHCP Log Configuration Guide 29

ID Agile Reports /Search Title/Comments Category Type Sample Log Message 13 1046 Search The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain %2, has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine is part of a directory service enterprise and is not authorized in the same domain. (See help on the DHCP Service Management Tool for additional information). This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized. Some unexpected network error occurred. 14 1051 Search The DHCP/BINL service has determined that it is not authorized to service clients on this network for the Windows domain: %2. All DHCP services that belong to a directory service enterprise must be authorized in the directory service to service clients. (See help on the DHCP Service Management Tool for authorizing a DHCP server in the directory service). 15 1052 Search The DHCP/BINL service on this workgroup server has encountered another server with IP Address, %1, belonging to the domain %2. 16 1053 Search The DHCP/BINL service on this computer running Windows Server 2003, 2008 for Small Business Server has encountered another server on this network with IP Address, %1, belonging to the domain: %2. O p e r a t i o n a l F a i l u r e < 1 3 > F e b 1 6 1 7 : 2 8 : 1 6 1 0. 11 6. 2 8. 2 0 0 M S W i n E v e n t L o g 0 S y s t e m 1099 Fri Feb 16 17:25:23 2007 1046 DhcpServer Unknown User DHCP/BINL service on the local machine, belonging to the Windows Administrative domain loglog.com, has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine is part of a directory service enterprise and is not authorized in the same domain. (See help on the DHCP Service Management Tool for additional information). This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized. Some unexpected network error occurred. 381 Operational Failure <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 1051 DhcpServer Unknown User DHCP/BINL service has determined that it is not authorized to service clients on this network for the Windows domain: DNSDHCP.com. All DHCP services that belong to a directory service enterprise must be authorized in the directory service to service clients. 381 Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 1052 DhcpServer Unknown User DHCP/BINL service on this workgroup server has encountered another server with IP Address, 10.114.19.29, belonging to the domain DNSDHCP.com. 381 Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 1053 DhcpServer Unknown User DHCP/BINL service on this computer running Windows Server 2003, 2008 for Small Business Server has encountered another server on this network with IP Address, 10.116.24,34, belonging to the domain: DNSDHCP.com. 381 30 Microsoft DHCP Log Configuration Guide

ID Agile Reports /Search Title/Comments Category Type Sample Log Message 17 1054 Search The DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons. 18 1055 Search The DHCP service was unable to impersonate the credentials necessary for DNS registrations: %1. The local system credentials is being used. 19 1056 Search The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool. 20 1066 Search The DHCP/BINL service is not authorized in the directory service domain "%2" (Server IP Address %1) Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 1054 DhcpServer Unknown User DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons. 381 Operational Failure The log format for this event is supported by the LogLogic Operational Error <13>Feb 13 12:30:52 10.116.28.102 MSWinLog 0 System 10228 Thu Sep 07 12:07:15 2006 1056 DhcpServer Unknown User N/A Warning LOGLOGIC-SRV1 None 0000: 00 00 00 00... The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool. 10228 Operational Failure <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 1066 DhcpServer Unknown User DHCP/BINL service is not authorized in the directory service domain "DNSDHCP.com" (Server IP Address 10.116.28.27). 381 21 1067 Search The DHCP/BINL service is authorized in the directory service domain "%2" (Server IP Address %1) Operational S u c c e s s <13>Feb 13 12:30:52 10.116.28.102 MSWinLog 0 System 10228 Thu Sep 07 12:07:15 2006 1067 DhcpServer Unknown User N/A Warning LOGLOGIC-SRV1 None 0000: 00 00 00 00... The DHCP/BINL service is authorized in the directory service domain "DNSDHCP.com" (Server IP Address 10.116.28.27). 10228 22 1068 Search The DHCP/BINL service has not determined if it is authorized in directory domain "%2" (Server IP Address %1) Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 1068 DhcpServer Unknown User DHCP/BINL service has not determined if it is authorized in directory domain "DNSDHCP.com" (Server IP Address 10.116.28.27). 381 23 1075 Search Scope Full%0 Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20011 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00... Scope Full. 381 Microsoft DHCP Log Configuration Guide 31

ID Agile Reports /Search Title/Comments Category Type Sample Log Message 24 1076 Search Started%0 Operational The log format for this event is supported by the LogLogic 25 1077 Search Stopped%0 Operational The log format for this event is supported by the LogLogic 26 1080 Search BAD_ADDRESS%0 Operational The log format for this event is supported by the LogLogic 27 1081 Search This address is already in use%0 28 1086 Search %%d leases expired and %%d leases deleted%0 Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 1081 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00... This address is already in use 10.116.28.77 381 Operational The log format for this event is supported by the LogLogic 32 Microsoft DHCP Log Configuration Guide

ID Agile Reports /Search Title/Comments Category Type Sample Log Message 29 1088 Search Microsoft DHCP Service Activity Log ID Meaning 00 The log was started. 01 The log was stopped. 02 The log was temporarily paused due to low disk space. 10 A new IP address was leased to a client. 11 A lease was renewed by a client. 12 A lease was released by a client. 13 An IP address was found to be in use on the network. 14 A lease request could not be satisfied because the scope's address pool was exhausted. 15 A lease was denied. 16 A lease was deleted. 17 A lease was expired. 20 A BOOTP address was leased to a client. 21 A dynamic BOOTP address was leased to a client. 22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. 23 A BOOTP IP address was deleted after checking to see it was not in use. 24 IP address cleanup operation has began. 25 IP address cleanup statistics. 30 DNS update request to the named DNS server 31 DNS update failed 32 DNS update successful 50+ Codes above 50 are used for Rogue Server Detection information. ID,Date,Time,Description,IP Address,Host Name,MAC Address Operational <13>Feb 13 12:30:52 10.116.28.102 MSWinLog 0 System 10228 Thu Sep 07 12:07:15 2006 1062 DhcpServer Unknown User N/A Warning LOGLOGIC-SRV1 None 0000: 00 00 00 00... Microsoft DHCP Service Activity Log ID Meaning 00 The log was started. 01 The log was stopped. 02 The log was temporarily paused due to low disk space. 10 A new IP address was leased to a client. 11 A lease was renewed by a client. 12 A lease was released by a client. 13 An IP address was found to be in use on the network. 14 A lease request could not be satisfied because the scope's address pool was exhausted. 15 A lease was denied. 16 A lease was deleted. 17 A lease was expired. 20 A BOOTP address was leased to a client. 21 A dynamic BOOTP address was leased to a client. 22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. 23 A BOOTP IP address was deleted after checking to see it was not in use. 24 IP address cleanup operation has began. 25 IP address cleanup statistics. 30 DNS update request to the named DNS server 31 DNS update failed 32 DNS update successful 50+ Codes above 50 are used for Rogue Server Detection information. ID,Date,Time,Description,IP Address,Host Name,MAC Address. 10228 30 1089 Search BOOTP Range Full%0 Operational Success The log format for this event is supported by the LogLogic Microsoft DHCP Log Configuration Guide 33

ID Agile Reports /Search Title/Comments Category Type Sample Log Message 31 1099 Search Authorization succeeded%0 Operational The log format for this event is supported by the LogLogic 32 1100 Search Server Upgraded%0 Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20011 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00... Server Upgraded. 381 33 11 0 1 S e a r c h C a c h e d a u t h o r i z a t i o n % 0 O p e r a t i o n a l F a i l u r e T h e l o g f o r m a t f o r t h i s e vent is supported by the LogLogic 34 1102 Search Authorization failed%0 Operational Success <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20011 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00... Authorization failed. 381 35 11 0 3 S e a r c h A u t h o r i z e d ( s e r v i c i n g ) % 0 O p e r a t i o n a l F a i l u r e < 1 3 > F e b 1 6 1 7 : 2 8 : 1 6 1 0. 116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 1105 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00... Authorized(servicing) server1. 381 36 1104 Search Authorization failure, stopped servicing%0 Operational The log format for this event is supported by the LogLogic 37 1107 Search Network failure%0 Operational The log format for this event is supported by the LogLogic 38 20011 Search The specified address is not available. 39 20012 Search The specified IP address range is full. 40 20015 Search The DHCP server received a message that is not valid. Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20011 DhcpServer Unknown User specified address is not available. 381 Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20012 DhcpServer Unknown User specified IP address range is full. 381 Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20015 DhcpServer Unknown User DHCP server received a message that is not valid. 381 34 Microsoft DHCP Log Configuration Guide

ID Agile Reports /Search Title/Comments Category Type Sample Log Message 41 20016 Search The DHCP server received a message from a client that is not valid. 42 20017 Search The DHCP server service is paused. 43 20034 Search The DHCP service received a request for a valid IP address that is not administered by this server. 44 20035 Search The DHCP Server failed to receive a notification of interface list changes. Some of the interfaces will not be enabled in the DHCP service. 45 20037 Search The DHCP Server is not servicing any clients on the network because it could not determine if it is authorized to run. This might be due to network problems or insufficient resources. 46 20038 Search The DHCP service is shutting down because another DHCP server with the IP address %1 is active on the network. 47 20040 Search The DHCP service is unable to contact the directory service for domain %1. The DHCP service will continue to attempt to contact the directory service. During this time, no clients on the network will be serviced. 48 20041 Search The DHCP service is not servicing any clients on the network because its authorization information conflicts with another DHCP server whose IP address is %1 and is active on domain %2. Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20016 DhcpServer Unknown User DHCP server received a message from a client that is not valid. 381 Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20017 DhcpServer Unknown User DHCP server service is paused. 381 Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20017 DhcpServer Unknown User DHCP service received a request for a valid IP address that is not administered by this server. 381 Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20035 DhcpServer Unknown User DHCP Server failed to receive a notification of interface list changes. Some of the interfaces will not be enabled in the DHCP service. 381 Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20037 DhcpServer Unknown User DHCP Server is not servicing any clients on the network because it could not determine if it is authorized to run. This might be due to network problems or insufficient resources. 381 Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20036 DhcpServer Unknown User DHCP service is shutting down because another DHCP server with the IP address 10.116.28.97 is active on the network. 381 Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20040 DhcpServer Unknown User DHCP service is unable to contact the directory service for domain DNSDHCP.com. The DHCP service will continue to attempt to contact the directory service. During this time, no clients on the network will be serviced. 381 Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20041 DhcpServer Unknown User DHCP service is not servicing any clients on the network because its authorization information conflicts with another DHCP server whose IP address is 10.116.28.77 and is active on domain DNSDHCP.com. 381 Microsoft DHCP Log Configuration Guide 35

ID Agile Reports /Search Title/Comments Category Type Sample Log Message 49 20042 Search The DHCP service is ignoring a request from another DHCP service because it is on a different directory service enterprise (Directory Service Enterprise root = %1) 50 20050 Search The network has changed. Retry this operation after checking for the network changes. Network changes may be caused by interfaces that are new or no longer valid, or by IP addresses that are new or no longer valid. 51 1008 Search The DHCP service is shutting down due to the following error: %1 52 1016 Search The DHCP service encountered the following error when backing up the database: %1 53 1018 Search The DHCP service failed to restore the database. The following error occurred: %1 54 1019 Search The DHCP service failed to restore the DHCP registry configuration. The following error occurred: %1 55 1020 Search Scope, %1, is %2 percent full with only %3 IP addresses remaining. Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20042 DhcpServer Unknown User DHCP service is ignoring a request from another DHCP service because it is on a different directory service enterprise (Directory Service Enterprise root = server1). 381 Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20050 DhcpServer Unknown User network has changed. Retry this operation after checking for the network changes. Network changes may be caused by interfaces that are new or no longer valid, or by IP addresses that are new or no longer valid. 381 Operational Error The log format for this event is supported by the LogLogic Operational Error <13>Feb 20 12:15:47 10.116.28.200 MSWinLog 0 System 1339 Tue Feb 20 10:01:30 2007 1016 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 2d 4e 00 00 -N.. The DHCP service encountered the following error when backing up the database: An error occurred while accessing the DHCP database. Look at the DHCP server event log for more information on this error. 845 Operational Failure The log format for this event is supported by the LogLogic Operational Failure The log format for this event is supported by the LogLogic Operational The log format for this event is supported by the LogLogic 36 Microsoft DHCP Log Configuration Guide

ID Agile Reports /Search Title/Comments Category Type Sample Log Message 56 1023 Search The DHCP service will now terminate because the existing database needs conversion to Windows 2000 format. The conversion via the jetconv process, has initiated. Do not reboot or stop the jetconv process. The conversion may take up to 10 minutes depending on the size of the database. Terminate DHCP now by clicking OK. This is required for the database conversion to succeed. NOTE: The DHCP service will be restarted automatically when the conversion is completed. To check conversion status, look at the Application event log for the jetconv process. 57 1027 Search The audit log file cannot be appended. 58 1030 Search The audit log file could not be backed up. The following error occurred: %1 Operational <13>Feb 13 12:30:52 10.116.28.102 MSWinLog 0 System 10264 Thu Feb 08 10:13:43 2007 1023 DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: 00 00 00 00... The DHCP service will now terminate because the existing database needs conversion to Windows 2000 format. The conversion via the jetconv process, has initiated. Do not reboot or stop the jetconv process. The conversion may take up to 10 minutes depending on the size of the database. Terminate DHCP now by clicking OK. This is required for the database conversion to succeed. NOTE: The DHCP service will be restarted automatically when the conversion is completed. To check conversion status, look at the Application event log for the jetconv process.. 10264 Operational <13>Feb 13 12:30:52 10.116.28.102 MSWinLog 0 System 10264 Thu Feb 08 10:13:43 2007 1027 DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: 00 00 00 00... The audit log file cannot be appended.. 10264 O p e r a t i o n a le r r o r T h e l o g f o r m a t f o r t h i s e v e n t i s s u p p o r t e d b y t h e L o g L o gic 59 1040 Search The DHCP service successfully restored the database. Operational S u c c e s s <13>Feb 13 12:30:52 10.116.28.102 MSWinLog 0 System 10264 Thu Feb 08 10:13:43 2007 1040 DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: 00 00 00 00... The DHCP service successfully restored the database. 10264 60 1041 Search The DHCP service is not servicing any clients because none of the active network interfaces have statically configured IP addresses, or there are no active interfaces. 61 1042 Search The DHCP/BINL service running on this machine has detected a server on the network. If the server does not belong to any domain, the domain is listed as empty. The IP address of the server is listed in parentheses.%1 Operational Error <13>Feb 13 12:30:52 10.116.28.102 MSWinLog 0 System 10284 Thu Feb 08 11:04:57 2007 1041 DhcpServer Unknown User N/A Error LOGLOGIC-SRV1 None 0000: 00 00 00 00... The DHCP service is not servicing any clients because none of the active network interfaces have statically configured IP addresses, or there are no active interfaces. 10284 Operational <13>Feb 13 12:30:52 10.116.28.102 MSWinLog 0 System 10264 Thu Feb 08 10:13:43 2007 1040 DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: 00 00 00 00... The DHCP/BINL service running on this machine has detected a server on the network. If the server does not belong to any domain, the domain is listed as empty. The IP address of the server is listed in parentheses {10.116.28.94}. 10264 Microsoft DHCP Log Configuration Guide 37

ID Agile Reports /Search Title/Comments Category Type Sample Log Message 62 1045 Search The DHCP/BINL service on the local machine has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine belongs to a workgroup and has encountered another DHCP Server (belonging to a Windows Administrative Domain) servicing the same network. An unexpected network error occurred. 63 1046 Search The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain %2, has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine is part of a directory service enterprise and is not authorized in the same domain. (See help on the DHCP Service Management Tool for additional information). This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized. Some unexpected network error occurred. O p e r a t i o n a l F a i l u r e < 1 3 > F e b 1 6 1 7 : 2 8 : 1 6 1 0. 11 6. 2 8. 2 0 0 M S W i n E v e n t L o g 0 S y s t e m 1099 Fri Feb 16 17:25:23 2007 1045 DhcpServer Unknown User DHCP/BINL service on the local machine has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine belongs to a workgroup and has encountered another DHCP Server (belonging to a Windows Administrative Domain) servicing the same network. An unexpected network error occurred. 381 O p e r a t i o n a l F a i l u r e < 1 3 > F e b 1 6 1 7 : 2 8 : 1 6 1 0. 11 6. 2 8. 2 0 0 M S W i n E v e n t L o g 0 S y s t e m 1099 Fri Feb 16 17:25:23 2007 1046 DhcpServer Unknown User DHCP/BINL service on the local machine, belonging to the Windows Administrative domain loglog.com, has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine is part of a directory service enterprise and is not authorized in the same domain. (See help on the DHCP Service Management Tool for additional information). This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized. Some unexpected network error occurred. 381 38 Microsoft DHCP Log Configuration Guide

ID Agile Reports /Search Title/Comments Category Type Sample Log Message 64 1051 Search The DHCP/BINL service has determined that it is not authorized to service clients on this network for the Windows domain: %2. All DHCP services that belong to a directory service enterprise must be authorized in the directory service to service clients. (See help on the DHCP Service Management Tool for authorizing a DHCP server in the directory service). 65 1052 Search The DHCP/BINL service on this workgroup server has encountered another server with IP Address, %1, belonging to the domain %2. 66 1053 Search The DHCP/BINL service on this computer running Windows Server 2003, 2008 for Small Business Server has encountered another server on this network with IP Address, %1, belonging to the domain: %2. 67 1054 Search The DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons. 68 1055 Search The DHCP service was unable to impersonate the credentials necessary for DNS registrations: %1. The local system credentials is being used. O p e r a t i o n a l F a i l u r e < 1 3 > F e b 1 6 1 7 : 2 8 : 1 6 1 0. 11 6. 2 8. 2 0 0 M S W i n E v e n t L o g 0 S y s t e m 1099 Fri Feb 16 17:25:23 2007 1051 DhcpServer Unknown User DHCP/BINL service has determined that it is not authorized to service clients on this network for the Windows domain: DNSDHCP.com. All DHCP services that belong to a directory service enterprise must be authorized in the directory service to service clients. 381 Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 1052 DhcpServer Unknown User DHCP/BINL service on this workgroup server has encountered another server with IP Address, 10.114.19.29, belonging to the domain DNSDHCP.com. 381 Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 1053 DhcpServer Unknown User DHCP/BINL service on this computer running Windows Server 2003, 2008 for Small Business Server has encountered another server on this network with IP Address, 10.116.24,34, belonging to the domain: DNSDHCP.com. 381 Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 1054 DhcpServer Unknown User DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons. 381 Operational Failure The log format for this event is supported by the LogLogic Microsoft DHCP Log Configuration Guide 39

ID Agile Reports /Search Title/Comments Category Type Sample Log Message 69 1056 Search The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool. 70 1066 Search The DHCP/BINL service is not authorized in the directory service domain "%2" (Server IP Address %1) Operational Error <13>Feb 13 12:30:52 10.116.28.102 MSWinLog 0 System 10228 Thu Sep 07 12:07:15 2006 1056 DhcpServer Unknown User N/A Warning LOGLOGIC-SRV1 None 0000: 00 00 00 00... The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool. 10228 Operational Failure <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 1066 DhcpServer Unknown User DHCP/BINL service is not authorized in the directory service domain "DNSDHCP.com" (Server IP Address 10.116.28.27). 381 71 1067 Search The DHCP/BINL service is authorized in the directory service domain "%2" (Server IP Address %1) Operational S u c c e s s <13>Feb 13 12:30:52 10.116.28.102 MSWinLog 0 System 10228 Thu Sep 07 12:07:15 2006 1067 DhcpServer Unknown User N/A Warning LOGLOGIC-SRV1 None 0000: 00 00 00 00... The DHCP/BINL service is authorized in the directory service domain "DNSDHCP.com" (Server IP Address 10.116.28.27). 10228 72 1068 Search The DHCP/BINL service has not determined if it is authorized in directory domain "%2" (Server IP Address %1) Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 1068 DhcpServer Unknown User DHCP/BINL service has not determined if it is authorized in directory domain "DNSDHCP.com" (Server IP Address 10.116.28.27). 381 73 1075 Search Scope Full%0 Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinLog 0 System 1099 Fri Feb 16 17:25:23 2007 20011 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00... Scope Full. 381 74 1076 Search Started%0 Operational The log format for this event is supported by the LogLogic 75 1077 Search Stopped%0 Operational The log format for this event is supported by the LogLogic 76 1080 Search BAD_ADDRESS%0 Operational The log format for this event is supported by the LogLogic 40 Microsoft DHCP Log Configuration Guide

Table 2 Microsoft DHCP Audit s ID Agile/ Search Reports Title/Comments Category Type Sample Log Message 1 0 Agile The log was started. Audit 00,02/14/07,14:15:22,Started,,, 2 1 Agile The log was stopped. Audit 01,02/14/07,14:15:22,Stopped,,, 3 2 Agile The log was temporarily paused due to low disk space. 4 10 Agile A new IP address was leased to a client. 5 11 Agile A lease was renewed by a client. 6 12 Agile A lease was released by a client. 7 13 Agile An IP address was found in use on the network. 8 14 Agile A lease request could not be satisfied because the address pool of the scope was exhausted. Audit Error The log format for this event is supported by the LogLogic Audit 10,07/22/ 06,22:19:56,Assign,147.100.100.120,e2k7.,0013D30C227E, Audit 11,02/16/ 07,15:14:48,Renew,10.116.28.111,loglogic-f155d4.loglog.com,000 55D42107E, Audit 12,07/22/ 06,22:20:19,Release,147.100.100.120,e2k7.,0013D30C227E Audit The log format for this event is supported by the LogLogic Audit Error The log format for this event is supported by the LogLogic 9 15 Agile A lease was denied. Audit Failure 15,02/20/ 07,11:02:44,NACK,10.116.28.101,wipro-log-222,5241532000055 D42107E000001000000, 10 16 Agile A lease was deleted. Audit 16,02/20/07,11:08:12,Deleted,10.116.28.101,,, 11 17 Agile A lease was expired. Audit 17,02/16/07,21:35:00,DNS record not deleted,10.116.28.111,,, 12 18 Agile Expired. Audit 18,02/16/07,18:34:57,Expired,10.116.28.111,,, 13 20 Agile A BOOTP address was leased to a client. 14 21 Agile A dynamic BOOTP address was leased to a client. Audit The log format for this event is supported by the LogLogic Audit The log format for this event is supported by the LogLogic Microsoft DHCP Log Configuration Guide 41

ID Agile/ Search Reports Title/Comments Category Type Sample Log Message 15 22 Agile A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. 16 23 Agile A BOOTP IP address was deleted after checking to see it was not in use. 17 24 Search IP address cleanup operation has began. 18 25 Search IP address cleanup statistics. 19 30 Search DNS dynamic update request Audit The log format for this event is supported by the LogLogic Audit The log format for this event is supported by the LogLogic Audit 24,07/22/06,00:00:34,Database Cleanup Begin,,,, Audit 25,07/22/06,00:00:34,0 leases expired and 0 leases deleted,,,, Audit 30,07/22/06,22:20:19,DNS Update Request,120.100.100.147,e2k7.,, 20 31 Search DNS dynamic update failed Audit Failure 31,07/22/06,22:19:56,DNS Update Failed,147.100.100.120,e2k7.,-1, 21 32 Search DNS dynamic update successful 22 50 Search Unreachable domain The DHCP server could not locate the applicable domain for its configured Active Directory installation. Audit 32,01/26/07,00:00:33,DNS Update Successful,10.37.36.180,uk58010.uk.deloitte.com,, Audit Error 50,02/16/07,17:25:23,Unreachable Domain,,loglog.com,8250, 23 51 Search Authorization succeeded The DHCP server was authorized to start on the network. Audit S u c c e s s 51,02/14/07,13:44:55,Authorization succeeded,,computer.net, 24 52 Search Upgraded to a Windows Server 2003, 2008 operating system. The DHCP server was recently upgraded to a Windows Server 2003, 2008 operating system, and, therefore, the unauthorized DHCP server detection feature (used to determine whether the server has been authorized in Active Directory) was disabled. Audit The log format for this event is supported by the LogLogic 42 Microsoft DHCP Log Configuration Guide

ID Agile/ Search Reports Title/Comments Category Type Sample Log Message 25 53 Search Cached Authorization. The DHCP server was authorized to start using previously cached information. Active Directory was not currently visible at the time the server was started on the network. 26 54 Search Authorization failed The DHCP server was not authorized to start on the network. When this event occurs, it is likely followed by the server being stopped. Audit The log format for this event is supported by the LogLogic Audit Failure 54,01/27/07,00:03:43,Authorization failed,,computer.net, 27 55 Search Authorization (servicing) The DHCP server was successfully authorized to start on the network. Audit S u c c e s s 55,02/02/07,16:36:59,Authorized(servicing),,WORKGROUP, 28 56 Search Authorization failure, stopped servicing The DHCP server was not authorized to start on the network and was shut down by the operating system. You must first authorize the server in the directory before starting it again. 29 57 Search Server found in domain Another DHCP server exists and is authorized for service in the same domain. 30 58 Search Server could not find domain The DHCP server could not locate the specified domain. 31 59 Search Network failure A network-related failure prevented the server from determining if it is authorized. 32 60 Search No DC is DS Enabled No Windows Server 2003, 2008 domain controller (DC) was located. For detecting whether the server is authorized, a DC that is enabled for Active Directory is needed. Audit Failure 56,02/16/07,14:32:23,Authorization failure, stopped servicing,,,, Audit The log format for this event is supported by the LogLogic Audit Error The log format for this event is supported by the LogLogic Audit Error The log format for this event is supported by the LogLogic Audit 60,04/19/99,12:43:21,No DC is DS Enabled,,MYDOMAIN, Microsoft DHCP Log Configuration Guide 43

ID Agile/ Search Reports Title/Comments Category Type Sample Log Message 33 61 Search Server found that belongs to DS domain Another DHCP server was found on the network that belongs to the Active Directory domain. 34 62 Search Another server found Another DHCP server was found on the network. 35 63 Search Restarting rogue detection The DHCP server is trying once more to determine whether it is authorized to start and provide service on the network. 36 64 Search No DHCP enabled interfaces The DHCP server has its service bindings or network connections configured so that it is not enabled to provide service. This usually means one of the following: 1. The network connections of the server are either not installed or not actively connected to a network. 2. The server has not been configured with at least one static IP address for one of its installed and active network connections. 3. All of the statically configured network connections for the server are disabled. Audit 61,02/14/07,10:47:16,Server found that belongs to DS domain,10.116.28.102,loglogic.com, Audit The log format for this event is supported by the LogLogic Audit 63,02/02/07,18:39:47,Restarting rogue detection,,, Audit Error 64,02/14/07,10:01:08,No static IP address bound to DHCP server,,, 44 Microsoft DHCP Log Configuration Guide