cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community
Find out more
SOLVED

windows DHCP server logs to Sentinel

roadruner
Occasional Contributor

‎Nov 03 2020 10:15 AM

‎Nov 03 2020 10:15 AM

windows DHCP server logs to Sentinel

Does anyone know how to ingest Windows DHCP server logs to Sentinel ?

thanks
7,009 Views
0 Likes
9 Replies
Reply
9 Replies
best response confirmed by roadruner (Occasional Contributor)
Gary Bushey

‎Nov 03 2020 12:23 PM

‎Nov 03 2020 12:23 PM

Solution

RE: windows DHCP server logs to Sentinel

One way is to install the Microsoft Monitoring agent on the servers and then in Azure Sentinel go to Settings => Workspace settings => Advanced Settings => Data and in the Windows Event Logs, select any of the DHCP event logs you want to ingest
0 Likes
Reply
roadruner

‎Nov 03 2020 02:37 PM

‎Nov 03 2020 02:37 PM

RE: windows DHCP server logs to Sentinel

thanks , i saw a similar solution via this url .. i’ll give it a whirl and see what happens
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events
0 Likes
Reply
roadruner

‎Nov 04 2020 07:38 AM

‎Nov 04 2020 07:38 AM

RE: windows DHCP server logs to Sentinel

hi, would this be for on prem servers or servers in azure. or both ? how does sentinel know which servers to pull data from ? or is it capturing dhcp events from anywhere? thanks
0 Likes
Reply
Gary Bushey

‎Nov 04 2020 08:07 AM

‎Nov 04 2020 08:07 AM

RE: windows DHCP server logs to Sentinel

@roadruner This would work for either Azure or non-Azure computers.  If you set up the Data section to ingest the DHCP events logs, then this would apply to all Windows computers.  So the agent would look for those logs on all windows computers, although it should only find them on DHCP servers.

 

There is a new monitoring agent in public preview that would allow you to specify what logs to look at on which computers but it only works for Azure computers for the most part.

0 Likes
Reply
roadruner

‎Nov 05 2020 05:13 AM

‎Nov 05 2020 05:13 AM

RE: windows DHCP server logs to Sentinel

great thanks , i take it i would see these dhcp logs , under Log Management/Event in Sentinel ?
0 Likes
Reply
Gary Bushey

‎Nov 05 2020 06:49 AM

‎Nov 05 2020 06:49 AM

RE: windows DHCP server logs to Sentinel

That is correct
0 Likes
Reply
guarismo

‎Jul 05 2021 05:33 PM

‎Jul 05 2021 05:33 PM

RE: windows DHCP server logs to Sentinel

I'm trying to consume Microsoft-Windows-Dhcp-Server/AuditLog but nothing is coming in, even though the dhcp audit file is populating
0 Likes
Reply
Clipseman

‎Aug 15 2022 01:30 PM

‎Aug 15 2022 01:30 PM

Re: RE: windows DHCP server logs to Sentinel

@guarismoI have the same thing also.

0 Likes
Reply
johnnymonz93

‎Jan 28 2023 10:20 AM

‎Jan 28 2023 10:20 AM

Re: windows DHCP server logs to Sentinel

@roadruner 

Please check the article I wrote to ingest DHCP logs using the new AMA agent.
 https://medium.com/@johnnymonz/how-to-ingest-windows-server-dhcp-logs-in-microsoft-sentinel-e363be9f... 

0 Likes
Reply