Microsoft DHCP log source configuration options

Use this reference information to configure the WinCollect plug-in for Microsoft DHCP.

Restriction: The WinCollect agent must be in the same time zone as the remote DHCP server that it is configured to poll.
Table 1. Microsoft DHCP protocol parameters
Parameter Description
Log Source Type Microsoft DHCP
Protocol Configuration WinCollect Microsoft DHCP
Local System

The WinCollect agent must be installed on the Microsoft DHCP Server.

The log source uses local system credentials to collect and forward events to QRadar®.

For more information about DHCP log source configuration, see the IBM® QRadar DSM Configuration Guide.

Table 2. Default root log directory paths for Microsoft DHCP events.

The DHCP event logs that are monitored by WinCollect are defined by the directory path that you specify in your WinCollect DHCP log source.

Collection type Root log directory
Local c:\WINDOWS\system32\dhcp
Remote \\DHCP IP address\c$\Windows\System32\dhcp
Table 3. Example log format for Microsoft DHCP events.

WinCollect evaluates the root log directory folder to automatically collect new DHCP events that are written to the event log. DHCP event logs start with DHCP, contain a three-character day of the week abbreviation, and end with a .log file extension. Any DHCP log files that are in the root log directory and match either an IPv4 or IPv6 DHCP log format are monitored for new events by the WinCollect agent.

Log type Example of log file format
IPv4 DhcpSrvLog-Mon.log
IPv6 DhcpV6SrvLog-Wed.log