Forum Discussion
roadruner
Nov 03, 2020Copper Contributor
windows DHCP server logs to Sentinel
Does anyone know how to ingest Windows DHCP server logs to Sentinel ?
thanks
thanks
- One way is to install the Microsoft Monitoring agent on the servers and then in Azure Sentinel go to Settings => Workspace settings => Advanced Settings => Data and in the Windows Event Logs, select any of the DHCP event logs you want to ingest
- johnnymonz93Copper Contributor
Please check the article I wrote to ingest DHCP logs using the new AMA agent.
https://medium.com/@johnnymonz/how-to-ingest-windows-server-dhcp-logs-in-microsoft-sentinel-e363be9f0283- Mandar16Copper Contributor
johnnymonz93 hii johny tried your solution but for my customer they have stored logs into E drive and I am using a path like E/DHCP/DhcpSrvLog-*.log but the solution doesn't work in that case first I used path like
E/DHCP/*.log but it took logs from different logs files but it stopped that too after a couple of minutes the agent is sending heartbeat to the Law any idea on the causes?
- GaryBusheyBronze ContributorThat is correct
- GaryBusheyBronze ContributorOne way is to install the Microsoft Monitoring agent on the servers and then in Azure Sentinel go to Settings => Workspace settings => Advanced Settings => Data and in the Windows Event Logs, select any of the DHCP event logs you want to ingest
- guarismoCopper ContributorI'm trying to consume Microsoft-Windows-Dhcp-Server/AuditLog but nothing is coming in, even though the dhcp audit file is populating
- roadrunerCopper Contributorthanks , i saw a similar solution via this url .. i’ll give it a whirl and see what happens
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events- roadrunerCopper Contributorhi, would this be for on prem servers or servers in azure. or both ? how does sentinel know which servers to pull data from ? or is it capturing dhcp events from anywhere? thanks