DHCP server log collection made simple
DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised.
You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client. This means that closely monitoring and correlating these logs can reveal when unknown devices have joined your network. This helps to make detection and response time practically immediate in combating any masquerading attackers. Not to mention, it significantly minimizes the impact of an attack.
It is therefore true, that these logs are extremely important. However, now that we have established the importance of DHCP logs, let’s also consider the challenges they pose to most log collection tools. First of all, Windows provides three main sources of DHCP logs: Audit log files, Windows Event Log, and Event Tracing for Windows (ETW). Secondly, because different logs sources usually store data in different formats and use different schemas, the log collection tool should be able to natively collect from these sources and normalize the data to a single format and schema that your SIEM can understand. Finally, we need to ensure that any sensitive data is encrypted when it is forwarded to your SIEM. Fortunately, NXLog is more than capable of meeting all of these challenges.
Now we will take a detailed look at the three main DHCP log sources.
- Audit log files
Once enabled, DHCP Server events can be written to DHCP audit log files. These logs are stored in Comma Separated Values (CSV) format. NXLog can easily read and write CSV files using its xm_csv module. Each event logged in the file provides a wealth of network information, such as the MAC address, hostname, and IP address (both IPv4 and IPv6, if available) of the DHCP client.
- Event Logging
Formerly known as Windows Event Log (which now refers to its API), Event Logging is a Windows service that allows applications and operating sytem processes to record events in a standard, centralized collection called an event log. NXLog’s versatile im_msvistalog module speaks the XML query language native to Windows Event Log which means you can query any specific channel (or channels) and write multiple queries for complex filtering and aggregation of events from multiple channels. In the following im_msvistalog configuration, DHCP server logs are collected from its three event channels.
<Input dhcp_server_events> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="DhcpAdminEvents">*</Select> <Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications"> *</Select> <Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select> </Query> </QueryList> </QueryXML> </Input>
Event Tracing for Windows (ETW) is a mechanism in Windows designed for efficient logging of both kernel and user-mode applications. These events are logged in the Admin channel of your DHCP server. They contain information such as the current and previous states of your server, as well as the server hostname and IP address. And yes, just as you may have guessed, NXLog has an im_etw module that can natively read these events directly from the Microsoft-Windows-DHCP-Server provider.
With this wide variety of approaches that NXLog provides for collecting DHCP server events, you can rest assured that any logs you will need can be collect easily and efficiently. You will also have the benefit of being able to collect other security-related events for Windows servers like DNS Server once you have deployed NXLog in your enterpise.
GET STARTED TODAY