Use this reference information to configure the WinCollect plug-in for Microsoft DHCP.
Restriction: The WinCollect agent
must be in the same time zone as the remote DHCP server that it is configured to poll.
Table 1. Microsoft DHCP
protocol parameters
Parameter |
Description |
Log Source Type |
Microsoft DHCP |
Protocol Configuration |
WinCollect Microsoft DHCP |
Local System |
The WinCollect agent must be installed on the
Microsoft DHCP Server.
The log source uses local system credentials to collect and forward events to QRadar®.
|
For more information about DHCP log source configuration, see the IBM®
QRadar DSM Configuration Guide.
Table 2. Default root log directory paths for Microsoft
DHCP events.
The DHCP event logs that are monitored by WinCollect are defined by the directory path that you
specify in your WinCollect DHCP log source.
Collection type |
Root log directory |
Local |
c:\WINDOWS\system32\dhcp |
Remote |
\\DHCP IP address\c$\Windows\System32\dhcp |
Table 3. Example log format for Microsoft DHCP
events.
WinCollect evaluates the root log directory folder to automatically collect new DHCP events that
are written to the event log. DHCP event logs start with DHCP, contain a
three-character day of the week abbreviation, and end with a .log file
extension. Any DHCP log files that are in the root log directory and match either an IPv4 or IPv6
DHCP log format are monitored for new events by the WinCollect agent.
Log type |
Example of log file format |
IPv4 |
DhcpSrvLog-Mon.log |
IPv6 |
DhcpV6SrvLog-Wed.log |