Microsoft DHCP protocol configuration options

To receive events from Microsoft DHCP servers, configure a log source to use the Microsoft DHCP protocol.

The Microsoft DHCP protocol is an active outbound protocol.

To read the log files, folder paths that contain an administrative share (C$), require NetBIOS privileges on the administrative share (C$). Local or domain administrators have sufficient privileges to access log files on administrative shares.

Fields for the Microsoft DHCP protocol that support file paths allow administrators to define a drive letter with the path information. For example, the field can contain the c$/LogFiles/ directory for an administrative share, or the LogFiles/ directory for a public share folder path, but cannot contain the c:/LogFiles directory.

Restriction: The Microsoft authentication protocol NTLMv2 is not supported by the Microsoft DHCP protocol.

The following table describes the protocol-specific parameters for the Microsoft DHCP protocol:

Table 1. Microsoft DHCP protocol parameters
Parameter	Description
Protocol Configuration	Microsoft DHCP
Log Source Identifier	Type a unique hostname or other identifier unique to the log source.
Server Address	The IP address or host name of your Microsoft DHCP server.
Domain	Type the domain for your Microsoft DHCP server. This parameter is optional if your server is not in a domain.
Username	Type the user name that is required to access the DHCP server.
Password	Type the password that is required to access the DHCP server.
Confirm Password	Type the password that is required to access the server.
Folder Path	The directory path to the DHCP log files. The default is `/WINDOWS/system32/dhcp/`
File Pattern	The regular expression (regex) that identifies event logs. The log files must contain a three-character abbreviation for a day of the week. Use one of the following file patterns: English: IPv4 file pattern: `DhcpSrvLog-(?:Sun\|Mon\|Tue\|Wed\|Thu\|Fri\|Sat)\.log`. IPv6 file pattern: `DhcpV6SrvLog-(?:Sun\|Mon\|Tue\|Wed\|Thu\|Fri\|Sat)\.log`. Mixed IPv4 and IPv6 file pattern: `Dhcp.*SrvLog-(?:Sun\|Mon\|Tue\|Wed\|Thu\|Fri\|Sat)\.log`. Polish: IPv4 file pattern: `DhcpSrvLog-(?:Pią\|Pon\|Sob\|Wto\|Śro\|Czw\|Nie)\.log` IPv6 file pattern: `DhcpV6SrvLog-(?:Pt\|Pon\|So\|Wt\|Śr\|Czw\|Nie)\.log`
Recursive	Select this option if you want the file pattern to search the sub folders.
SMB Version	Select the version of SMB that you want to use. AUTO Auto-detects to the highest version that the client and server agree to use. SMB1 Forces the use of SMB1. SMB1 uses the jCIFS.jar (Java™ ARchive) file. Important: SMB1 is no longer supported. All administrators must update existing configurations to use SMB2 or SMB3. SMB2 Forces the use of SMB2. SMB2 uses the jNQ.jar file. SMB3 Forces the use of SMB3. SMB3 uses the jNQ.jar file. Note: Before you create a log source with a specific SMB version (for example: SMBv1, SMBv2, and SMBv3), ensure that the specified SMB version is supported by the Windows OS that is running on your server. You also need to verify that SMB versions is enabled on the specified Windows Server. For more information about which Windows version supports which SMB versions, go to the Microsoft TechNet website (https://blogs.technet.microsoft.com/josebda/2012/06/06/windows-server-2012-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-or-smb-3-0-are-you-using-on-your-file-server/ ). For more information about how to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server, go to the Microsoft support website (https://support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server).
Polling Interval (in seconds)	The number of seconds between queries to the log files to check for new data. The minimum polling interval is 10 seconds. The maximum polling interval is 3,600 seconds.
Throttle events/sec	The maximum number of events the DHCP protocol can forward per second. The minimum value is 100 EPS. The maximum value is 20,000 EPS.
File Encoding	The character encoding that is used by the events in your log file.
File Exclusion List	A list of regular expressions that prevent certain file directories from opening. The list includes one regular expression per line. When a file or directory matches one of the regular expressions, that file or directory does not open. When a file is in use, other applications might not be able to use it. Use this parameter to prevent locking those files or to prevent the protocol from accessing specific files. The pattern does not apply to the full Folder Path. It applies only to the final directory that is listed in the path. The pattern applies against all files or directories that are found within the Folder Path's directory. The following list is the default value for this parameter: `/j50.*\.log` `dhcp\.mdb` `dhcp\.tmp` `j50\.chk`.
Enabled	When this option is not enabled, the log source does not collect events and the log source is not counted in the license limit.
Credibility	Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user-created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.
Target Event Collector	Specifies the QRadar Event Collector that polls the remote log source. Use this parameter in a distributed deployment to improve Console system performance by moving the polling task to an Event Collector.
Coalescing Events	Increases the event count when the same event occurs multiple times within a short time interval. Coalesced events provide a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. You can use this check box to override the default behavior of the system settings for an individual log source.