Use this reference information to configure the WinCollect plug-in for Microsoft DHCP.
Restriction: The WinCollect agent
must be in the same time zone as the remote DHCP server that it is configured to poll.
Table 1. Microsoft DHCP
|Log Source Type
||WinCollect Microsoft DHCP
The WinCollect agent must be installed on the
Microsoft DHCP Server.
The log source uses local system credentials to collect and forward events to QRadar®.
For more information about DHCP log source configuration, see the IBM®
QRadar DSM Configuration Guide.
Table 2. Default root log directory paths for Microsoft
The DHCP event logs that are monitored by WinCollect are defined by the directory path that you
specify in your WinCollect DHCP log source.
||Root log directory
||\\DHCP IP address\c$\Windows\System32\dhcp
Table 3. Example log format for Microsoft DHCP
WinCollect evaluates the root log directory folder to automatically collect new DHCP events that
are written to the event log. DHCP event logs start with DHCP, contain a
three-character day of the week abbreviation, and end with a .log file
extension. Any DHCP log files that are in the root log directory and match either an IPv4 or IPv6
DHCP log format are monitored for new events by the WinCollect agent.
||Example of log file format