DHCP (Dynamic Host Configuration Protocol) is a network management protocol
that dynamically assigns IP addresses to each client machine on your network.
However, its importance does not stop there. DHCP can even generate numerous
critical events that indicate your network’s security has been compromised.
You might then wonder how you can use these events to safeguard your
organization from intrusion. Well, these event logs store valuable
information that contain the ID and IP address associated with each
client. This means that closely monitoring and correlating these logs can reveal
when unknown devices have joined your network. This helps to make detection and
response time practically immediate in combating any masquerading attackers.
Not to mention, it significantly minimizes the impact of an attack.
It is therefore true, that these logs are extremely important. However,
now that we have established the importance of DHCP logs, let’s also consider
the challenges they pose to most log collection tools. First of all, Windows
provides three main sources of DHCP logs: Audit log files, Windows Event Log,
and Event Tracing for Windows (ETW). Secondly, because different logs sources
usually store data in different formats and use different schemas, the log
collection tool should be able to natively collect from these sources and
normalize the data to a single format and schema that your SIEM can understand.
Finally, we need to ensure that any sensitive data is encrypted when it is
forwarded to your SIEM. Fortunately, NXLog is more than capable of
meeting all of these challenges.
Now we will take a detailed look at the three main DHCP log sources.
- Audit log files
Once enabled, DHCP Server events can be written to
DHCP audit log files.
These logs are stored in Comma Separated Values (CSV) format. NXLog can
easily read and write CSV files using its
Each event logged in the file provides a wealth of network information, such as
the MAC address, hostname, and IP address (both IPv4 and IPv6, if available) of
the DHCP client.
- Event Logging
Formerly known as Windows Event Log (which now refers to its API),
is a Windows service that allows applications and operating sytem
processes to record events in a standard, centralized collection called an
module speaks the XML query language native to Windows Event Log which means you
can query any specific channel (or channels) and write multiple queries for
complex filtering and aggregation of events from multiple channels. In the
following im_msvistalog configuration, DHCP server logs are collected from its
three event channels.
Event Tracing for Windows (ETW) is a mechanism in Windows designed for efficient
logging of both kernel and user-mode applications. These events are logged in
the Admin channel of your DHCP server. They contain information
such as the current and previous states of your server, as well as the server
hostname and IP address. And yes, just as you may have guessed, NXLog
module that can natively read these events directly from the
With this wide variety of approaches that NXLog provides for collecting
DHCP server events, you can rest assured that any logs you will need can be
collect easily and efficiently. You will also have the benefit of being able to
collect other security-related events for Windows servers like DNS Server once
you have deployed NXLog in your enterpise.