DHCP audit logging

Set up DHCP Auditing

DHCP stands for Dynamic Host Configuration Protocol. The DHCP service automatically issues IP addresses to the workstations in a network. The central branch of DHCP is the integration in DNS (Domain Name System). The goal of the integration is the automatic registration of host names and IP addresses with DNS servers by the DHCP server.

The client sends a DHCP Discover (Broadcast) to the network and expects a DHCP Offer (an IP address offered) from an existing DHCP server. The client accepts the offered IP address (DHCP Offer) and sends the DHCP server a DHCP request (I accept your offer). The DHCP server confirms with a DHCP-Acknowledge (we are in business). If no DHCP server is reached, the client receives a provisional IP from the area - 255.254 via APIPA (Automatic Private IP Addressing).

To track such actions, it is important that the auditing feature be enabled.

Enable auditing maximum logging size and path:

Set-DhcpServerAuditLog -ComputerName "DC01.ndsedv.de" -Enable $ True -Path "C: \ Logs \ DHCP \ Auditing \ dhcpauditlog \" -MaxMBFileSize 100

Enable only auditing via registry:

reg add HKLM \ System \ CurrentControlSet \ Services \ DhcpServer \ Parameters / v ActivityLogFlag / t REG_DWORD / d 1

Adjust maximum logging size of all audit logs to be created:

Set-DhcpServerAuditLog -MaxMBFileSize 250 Set-DhcpServerAuditLog -MaxMBFileSize 4096

Customize file paths for the log files:

netsh dhcp server set databasepath D: \ Logs \ DHCP netsh dhcp server set auditlog D: \ Logs \ DHCP \ Auditing \ dhcpauditlog

Set up DHCP Auditing