Log Types: WinDHCP
Overview
Windows Servers provide a DHCP server, which generates log data that the Snare Central server can consume.
Collection
The Epilog agent for Windows, part of the Snare for Windows binary distribution, can be configured to capture and forward Windows DHCP logs.
Sample Events
DHCP server logs are generally CSV-style logs, with the following fields:
Date
Time
Description
IP Address
Host name
MAC address
35,21/02/19,01:02:03,DNS update request failed,192.1.2.3,myhostname1,000000000000,
10,21/02/19,01:02:03,Assign,192.1.2.4,myhostname2,000000000000,,17739,0,,,
10,21/02/19,01:02:03,Assign,192.1.2.5,myhostname3, 000000000000,,3096562285,0,,,,0x2D33567480352E30,MSFT 5.0,,,,0
Fields
Field | Description |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | WinDHCP |
EVENTID | Event ID - generally numeric event codes. |
DESCRIPTION | Â |
IPADDRESS | IP Address allocated |
HOSTNAME | Hostname allocated or requested |
MACADDRESS | MAC address supplied |
Notes
Event ID Code | Description |
00 | The log was started |
01 | The log was stopped |
02 | The log was temporarily paused due to low disk space |
10 | A new IP address was leased to a client |
11 | A lease was renewed by a client |
12 | A lease was released by a client |
13 | An IP address was found to be in use on the network |
14 | A lease request could not be satisfied because the scope's address pool was exhausted |
15 | A lease was denied |
16 | A lease was deleted |
17 | A lease was expired and DNS records for an expired leases have not been deleted |
18 | A lease was expired and DNS records were deleted |
20 | A BOOTP address was leased to a client |
21 | A dynamic BOOTP address was leased to a client |
22 | A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted |
23 | A BOOTP IP address was deleted after checking to see it was not in use |
24 | IP address cleanup operation has begun |
25 | IP address cleanup statistics |
30 | DNS update request to the named DNS server |
31 | DNS update failed |
32 | DNS update successful |
33 | Packet dropped due to NAP policy |
34 | DNS update request failed as the DNS update request queue limit exceeded |
35 | DNS update request failed |
36 | Packet dropped because the server is in failover standby role or the hash of the client ID does not match |
50 | The DHCP server could not locate the applicable domain for its configured Active Directory installation |
51 | The DHCP server was authorized to start on the network |
52 | The DHCP server was recently upgraded to a Windows Server 2003 operating system, and, therefore, the unauthorized DHCP server detection feature (used to determine whether the server has been authorized in Active Directory) was disabled |
53 | The DHCP server was authorized to start using previously cached information. Active Directory was not currently visible at the time the server was started on the network |
54 | The DHCP server was not authorized to start on the network. When this event occurs, it is likely followed by the server being stopped |
55 | The DHCP server was successfully authorized to start on the network |
56 | The DHCP server was not authorized to start on the network and was shut down by the operating system. You must first authorize the server in the directory before starting it again |
57 | Another DHCP server exists and is authorized for service in the same domain |
58 | The DHCP server could not locate the specified domain |
59 | A network-related failure prevented the server from determining if it is authorized |
60 | No Windows Server 2003 domain controller (DC) was located. For detecting whether the server is authorized, a DC that is enabled for Active Directory is needed |
61 | Another DHCP server was found on the network that belongs to the Active Directory domain |
62 | Another DHCP server was found on the network |
63 | The DHCP server is trying once more to determine whether it is authorized to start and provide service on the network |
64 | The DHCP server has its service bindings or network connections configured so that it is not enabled to provide service |