SOLVED

windows DHCP server logs to Sentinel

Copper Contributor
Does anyone know how to ingest Windows DHCP server logs to Sentinel ?

thanks
10 Replies
best response confirmed by roadruner (Copper Contributor)
Solution
One way is to install the Microsoft Monitoring agent on the servers and then in Azure Sentinel go to Settings => Workspace settings => Advanced Settings => Data and in the Windows Event Logs, select any of the DHCP event logs you want to ingest
thanks , i saw a similar solution via this url .. i’ll give it a whirl and see what happens
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events
hi, would this be for on prem servers or servers in azure. or both ? how does sentinel know which servers to pull data from ? or is it capturing dhcp events from anywhere? thanks

@roadruner This would work for either Azure or non-Azure computers.  If you set up the Data section to ingest the DHCP events logs, then this would apply to all Windows computers.  So the agent would look for those logs on all windows computers, although it should only find them on DHCP servers.

 

There is a new monitoring agent in public preview that would allow you to specify what logs to look at on which computers but it only works for Azure computers for the most part.

great thanks , i take it i would see these dhcp logs , under Log Management/Event in Sentinel ?
That is correct
I'm trying to consume Microsoft-Windows-Dhcp-Server/AuditLog but nothing is coming in, even though the dhcp audit file is populating

@guarismoI have the same thing also.

@roadruner 

Please check the article I wrote to ingest DHCP logs using the new AMA agent.
 https://medium.com/@johnnymonz/how-to-ingest-windows-server-dhcp-logs-in-microsoft-sentinel-e363be9f... 

@johnnymonz93 hii johny tried your solution but for my customer they have stored logs into E drive and I am using a path like E/DHCP/DhcpSrvLog-*.log but the solution doesn't work in that case first I used path like

E/DHCP/*.log but it took logs from different logs files but it stopped that too after a couple of minutes the agent is sending heartbeat to the Law any idea on the causes? 

1 best response

Accepted Solutions
best response confirmed by roadruner (Copper Contributor)
Solution
One way is to install the Microsoft Monitoring agent on the servers and then in Azure Sentinel go to Settings => Workspace settings => Advanced Settings => Data and in the Windows Event Logs, select any of the DHCP event logs you want to ingest

View solution in original post