Monitoring DHCP Logfiles

Monitoring Windows 2003 DHCP Server Logfiles via syslog

Created 2007-10-10 by Florian Riedl

Information for the usage of this guide. This guide will give you the hints to create a configuration to monitor Windows 2003 DHCP server logs as well as forward all log data to a syslog server. To make things easier, the guide is split up into several mini-guides, which will each cover one big step of the configuration. These mini-guides only describe the general procedure. You may have to adjust settings like IPs or pathnames to your personal needs.

Please note: In order to forward the DHCP logs you need MonitorWare Agent.
Further you need to setup your DHCP server to log into text files. Please review the manual for further instructions.

Step 1

The first step we are going to take is to create a RuleSet with the corresponding action. In this case we want to forward our logs via syslog. Therefore we need a “Forward via syslog”-Action. Instructions on how to create a ruleset and setup the action can be found here:

How to Setup a Forward via Syslog Action

Please Note: You have to edit the IP address of the syslog server. By default it is set to 127.0.0.1. If you do not change this, your syslog server will not receive any data.

Step 2

The next important step is to setup the FileMonitor. We need it to monitor the text file logs created by your DHCP server.

How to Setup the FileMonitor Service

Please Note: This is a general guide, you may have to alter the path- and filename. The default path and filename is “C:\WINDOWS\System32\dhcp\DhcpSrvLog-Fri.log”. The last 3 letters of the filename represent the day on which the log was created. You can use wildcards for the filename.

Step 3

The last and final step is to click on the Save button if necessary and then start MonitorWare Agent. You are now done. Finally you should receive all the log entries of your DHCP Firewall on your syslog server.

If you want, you can download the sample configuration file. Extract the .reg file to the machine where MonitorWare Agent is installed and execute it before opening MonitorWare Agent.