Microsoft DHCP Server

The Microsoft DHCP Server DSM for IBM QRadar accepts DHCP events by using the Microsoft DHCP Server protocol or WinCollect.

About this task

Before you can integrate your Microsoft DHCP Server with QRadar, you must enable audit logging.

To configure the Microsoft DHCP Server:

Procedure

  1. Log in to the DHCP Server Administration Tool.
  2. From the DHCP Administration Tool, right-click on the DHCP server and select Properties.

    The Properties window is displayed.

  3. Click the General tab.

    The General pane is displayed.

  4. Click Enable DHCP Audit Logging.

    The audit log file is created at midnight and must contain a three-character day of the week abbreviation.

    Table 1. Microsoft DHCP log file examples

    Log Type

    Example

    IPv4

    DhcpSrvLog-Mon.log

    IPv6

    DhcpV6SrvLog-Wed.log

    By default Microsoft DHCP is configured to write audit logs to the %WINDIR%\system32\dhcp\ directory.

  5. Restart the DHCP service.
  6. You can now configure the log source and protocol in QRadar.
    1. To configure QRadar to receive events from a Microsoft DHCP Server, you must select the Microsoft DHCP Server option from the Log Source Type list.
    2. To configure the protocol, you must select the Microsoft DHCP option from the Protocol Configuration list.
      Note: To integrate Microsoft DHCP Server versions 2000/2003 with QRadar by using WinCollect, see the IBM QRadar WinCollect User Guide.