Recipe14.12.Enabling DHCP Audit Logging

Recipe 14.12. Enabling DHCP Audit Logging

Problem

You want to enable DHCP Server audit logging to monitor activity the server is receiving or to use the logs as an audit trail in case a problem arises in the future.

Enabling logging on a busy DHCP Server can negatively impact performance. Monitor the server closely after initially turning on logging.

Solution

Using a graphical user interface

1. Open the DHCP snap-in.

2. In the left pane, right-click on DHCP and select Add Server.

3. Type in the name of the DHCP Server you want to target and click OK.

4. Right-click the server node and select Properties.

5. On the General tab, check the box beside Enable DHCP audit logging.

6. Click OK.

Using a command-line interface

Surprisingly, netsh doesn't allow you to enable DHCP audit logging. You can only modify the audit log file path (see Recipe 14.13). However, this setting is controlled via the registry. The following command enables auditing by setting the ActivityLogFlag value:

> reg add HKLM\System\CurrentControlSet\Services\DhcpServer\Parameters /v ActivityLogFlag /t REG_DWORD /d 1

To disable auditing, use the same command except use /d 0 in place of /d 1.

Discussion

After you enable auditing on a DHCP Server, all DHCP requests, database maintenance events, and various errors will be logged to a file. By default, a separate file is generated for each day of the week and stored in %SystemRoot%\system32\dhcp. See Recipe 14.13 for more on how to store audit logs in a different directory. The files are named DhcpSrvLog-xxx.log where xxx is the day of the week (e.g., DhcpSrvLog-Mon.log). After the first week, the previous week's file is overwritten.

The events logged to the audit log (a plain text file) have the following format:

ID,Date,Time,Description,IP Address,Host Name,MAC Address

Table 14-1 contains each of these fields and their corresponding description. The ID is a number that represents a certain event. When a new log is started (or overwritten), the list of event codes and their descriptions is written at the top for easy reference. For client-specific audit entries (e.g., a DHCP request), all fields will be populated. For database or DHCP authorization events, some of the fields will be blank.

The DHCP Server monitors how the log files grow and the available disk space to determine if it should stop logging prematurely to prevent it from consuming too much space. There are two conditions that cause auditing to stop:

• When disk space runs below 20 MB on the filesystem the log files are on.

• When a single log file reaches the preset maximum size (the default is 1 MB).

Fortunately, you can modify these default values by editing the registry. There are three registry values that control DHCP Server disk monitoring located under HKLM\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters:

DhcpLogDiskSpaceCheckInterval

This specifies the number of audit entries recorded between disk verification checks. The default is 50, which means 50 events have to be recorded before the disk verification check occurs.

DhcpLogFilesMaxSize

The maximum size in megabytes for all seven log files. By default, this is 7, which means each log file can only grow to be 1 MB before the DHCP Server stops logging for that day.

DhcpLogMinSpaceOnDisk

The minimum size in megabytes that must exist on the filesystem for logging to continue. The default is 20, which means the DHCP Server will stop logging altogether if disk space goes below 20 MB on the filesystem.

You may need to create these values (as REG_DWORD) if they don't already exist.

See Also

Recipe 14.13, MS KB 328891 (Changes in Windows Server 2003 DHCP Logging), and MS KB 843215 (The daily DHCP audit log file is deleted after you restart the DHCP service in Windows Server 2003)