The Microsoft DHCP Server DSM for IBM
QRadar accepts DHCP events by
using the Microsoft DHCP Server protocol or WinCollect.
About this task
Before you can integrate your Microsoft DHCP Server with QRadar, you must enable audit
logging.
To configure the Microsoft DHCP Server:
Procedure
-
Log in to the DHCP Server Administration Tool.
-
From the DHCP Administration Tool, right-click on the DHCP server and select
Properties.
The Properties window is displayed.
-
Click the General tab.
The General pane is displayed.
-
Click Enable DHCP Audit Logging.
The audit log file is created at midnight and must contain a three-character day of the week
abbreviation.
Table 1. Microsoft DHCP log file examples
|
Log Type
|
Example
|
|
IPv4
|
DhcpSrvLog-Mon.log
|
|
IPv6
|
DhcpV6SrvLog-Wed.log
|
By default Microsoft DHCP is configured to write audit logs to the %WINDIR%\system32\dhcp\ directory.
-
Restart the DHCP service.
-
You can now configure the log source and protocol in QRadar.
-
To configure QRadar to
receive events from a Microsoft DHCP Server, you must
select the Microsoft
DHCP Server option from the Log Source Type
list.
-
To configure the protocol, you must select the Microsoft DHCP option from the Protocol Configuration list.
Note: To integrate Microsoft DHCP Server versions
2000/2003 with QRadar by using
WinCollect, see the IBM
QRadar WinCollect User Guide.