Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

windows DHCP server logs to Sentinel

Occasional Contributor
Does anyone know how to ingest Windows DHCP server logs to Sentinel ?

9 Replies
best response confirmed by roadruner (Occasional Contributor)
One way is to install the Microsoft Monitoring agent on the servers and then in Azure Sentinel go to Settings => Workspace settings => Advanced Settings => Data and in the Windows Event Logs, select any of the DHCP event logs you want to ingest
thanks , i saw a similar solution via this url .. i’ll give it a whirl and see what happens
hi, would this be for on prem servers or servers in azure. or both ? how does sentinel know which servers to pull data from ? or is it capturing dhcp events from anywhere? thanks

@roadruner This would work for either Azure or non-Azure computers.  If you set up the Data section to ingest the DHCP events logs, then this would apply to all Windows computers.  So the agent would look for those logs on all windows computers, although it should only find them on DHCP servers.


There is a new monitoring agent in public preview that would allow you to specify what logs to look at on which computers but it only works for Azure computers for the most part.

great thanks , i take it i would see these dhcp logs , under Log Management/Event in Sentinel ?
That is correct
I'm trying to consume Microsoft-Windows-Dhcp-Server/AuditLog but nothing is coming in, even though the dhcp audit file is populating

@guarismoI have the same thing also.


Please check the article I wrote to ingest DHCP logs using the new AMA agent.