Recipe 14.12. Enabling DHCP Audit LoggingProblemYou want to enable DHCP Server audit logging to monitor activity the server is receiving or to use the logs as an audit trail in case a problem arises in the future.
SolutionUsing a graphical user interface
Using a command-line interfaceSurprisingly, netsh doesn't allow you to enable DHCP audit logging. You can only modify the audit log file path (see Recipe 14.13). However, this setting is controlled via the registry. The following command enables auditing by setting the ActivityLogFlag value: > reg add HKLM\System\CurrentControlSet\Services\DhcpServer\Parameters /v ActivityLogFlag /t REG_DWORD /d 1 To disable auditing, use the same command except use /d 0 in place of /d 1. DiscussionAfter you enable auditing on a DHCP Server, all DHCP requests, database maintenance events, and various errors will be logged to a file. By default, a separate file is generated for each day of the week and stored in %SystemRoot%\system32\dhcp. See Recipe 14.13 for more on how to store audit logs in a different directory. The files are named DhcpSrvLog-xxx.log where xxx is the day of the week (e.g., DhcpSrvLog-Mon.log). After the first week, the previous week's file is overwritten. The events logged to the audit log (a plain text file) have the following format: ID,Date,Time,Description,IP Address,Host Name,MAC Address Table 14-1 contains each of these fields and their corresponding description. The ID is a number that represents a certain event. When a new log is started (or overwritten), the list of event codes and their descriptions is written at the top for easy reference. For client-specific audit entries (e.g., a DHCP request), all fields will be populated. For database or DHCP authorization events, some of the fields will be blank.
The DHCP Server monitors how the log files grow and the available disk space to determine if it should stop logging prematurely to prevent it from consuming too much space. There are two conditions that cause auditing to stop:
Fortunately, you can modify these default values by editing the registry. There are three registry values that control DHCP Server disk monitoring located under HKLM\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters:
See AlsoRecipe 14.13, MS KB 328891 (Changes in Windows Server 2003 DHCP Logging), and MS KB 843215 (The daily DHCP audit log file is deleted after you restart the DHCP service in Windows Server 2003) |