Microsoft DHCP Server
The Microsoft DHCP Server DSM for IBM® QRadar® accepts DHCP events by using the Microsoft DHCP Server protocol or WinCollect.
About this task
Before you can integrate your Microsoft DHCP Server with QRadar, you must enable audit logging.
To configure the Microsoft DHCP Server:
- Log in to the DHCP Server Administration Tool.
From the DHCP Administration Tool, right-click on the DHCP server and select
The Properties window is displayed.
Click the General tab.
The General pane is displayed.
Click Enable DHCP Audit Logging.
The audit log file is created at midnight and must contain a three-character day of the week abbreviation.
Table 1. Microsoft DHCP log file examples
By default Microsoft DHCP is configured to write audit logs to the %WINDIR%\system32\dhcp\ directory.
- Restart the DHCP service.
You can now configure the log source and protocol in QRadar.
- To configure QRadar to receive events from a Microsoft DHCP Server, you must select the Microsoft DHCP Server option from the Log Source Type list.
To configure the protocol, you must select the Microsoft DHCP option from the Protocol Configuration list.
Note: To integrate Microsoft DHCP Server versions 2000/2003 with QRadar by using WinCollect, see the IBM QRadar WinCollect User Guide.