All about DHCP Auditing
In this post, I would be discussing about DHCP Audit logging and how to tweak it to your specific situation. DHCP Audit logging can be customized using the following parameters:
1) The directory path in which the DHCP service stores audit log files:
2) A maximum size restriction (in MB) for the total amount of disk space available for all the audit log files created and stored by the DHCP service.
3) An interval for disk checking that is used to determine how many times the DHCP server writes audit log events to the log file before checking for available disk space on the server.
4) A minimum size requirement (in MB) for server disk space that is used during disk checking to determine if sufficient space exists for the server to continue audit logging.
In Win2K3, only parameter 1 (i.e. DHCP Audit file path) can be configured through netsh and mmc (Using the command netsh dhcp server set auditlog). The other parameters cannot be configured neither through MMC nor netsh. To set them, we need to set some registry keys:
1) To set the Maximum file size: You need to set the following key.
Key Name: HKLM\SYSTEM\CurrentControlSet\Services\DhcpServer\Parameters\
DhcpLogFilesMaxSize
Key Type: REG_DWORD
Value range: 0x0–0xFFFFFFFF MB
Description:
Specifies the maximum combined size of one week's worth of Dynamic Host Configuration Protocol (DHCP) audit logs. If the audit logs exceed the size specified by this value, DHCP stops writing to the audit log until sufficient space becomes available.
https://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/46691.mspx?mfr=true
2) To set the Disk Check interval: You need to set the following key.
Key Name: HKLM\SYSTEM\CurrentControlSet\Services\DhcpServer\Parameters\DhcpLogDiskSpaceCheckInterval
Key Type: REG_DWORD
Value range: 0x0–0xFFFFFFFF number of audit log entries
Description:
Determines how often Dynamic Host Configuration Protocol (DHCP) verifies that disk space and file size are adequate for its audit log. The value of this entry represents the number of audit log records entered between each verification check.
https://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/46691.mspx?mfr=true
3) To set the minimum disk space: You need to set the following key.
Key Name: HKLM\SYSTEM\CurrentControlSet\Services\DhcpServer\Parameters\DhcpLogMinSpaceOnDisk
Key Type: REG_DWORD
Key Value: 0x0–0xFFFFFFFF MB
Description:
Specifies the minimum amount of free disk space required for audit logging.The Dynamic Host Configuration Protocol (DHCP) periodically verifies that it has sufficient disk space to proceed with audit logging (the interval is specified in the value of the DhcpLogDiskSpaceCheckInterval entry). This entry specifies the minimum value that DHCP requires. If the amount of free disk space is less than the value of this entry, then the DHCP service does not write to the audit log. Logging is suspended until sufficient disk space is available.
In Longhorn Server, all the above functionality is exposed in the command netsh dhcp server set auditlog.
One more specific information I want to include in this post is about the delete policy of the DHCP Server with respect to old audit log files. The DHCP server does its auditing for a given day in a file corresponding to the day. For example, if the current day is wednesday, then it audit logs that day's events into the wednesday file. Like this for every day in the week, there is a audit log file. At 12:00 A.M. local time on the server computer, the DHCP server closes the existing log and moves to the log file for the next day of the week. For example, if the day of the week changes at 12:00 A.M. from Wednesday to Thursday, the log file named DhcpSrvLog-Wed.log is closed and the file named DhcpSrvLog-Thu.log is opened and used for logging events.
When the DHCP server starts or whenever a new day of the week occurs (when local time on the computer is 12:00 A.M.), the server writes a header message in the audit log file, indicating that logging started. Depending on whether the audit log file is a new or existing file, the following actions occur next:
• If the audit log file has existed without modification for more than 24 hours, it is overwritten.
• If the file has existed but was modified within the previous 24 hours, the file is not overwritten. New logging activity is appended to the existing file.
So if you want to make sure that your audit log files are appended and not overwritten, they must be changed in the last 24 hours. Let's say today is tuesday, and you want that auditing for tomorrow needs to be appended to last week's activity(and not overwritten), then you must edit the file DhcpLog-Wed.log.
For further information on DHCP Auditing, please refer: https://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncb_dhc_tmvc.mspx?mfr=true