SOLVED

windows DHCP server logs to Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1850373%22%20slang%3D%22en-US%22%3Ewindows%20DHCP%20server%20logs%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1850373%22%20slang%3D%22en-US%22%3EDoes%20anyone%20know%20how%20to%20ingest%20Windows%20DHCP%20server%20logs%20to%20Sentinel%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3Ethanks%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1850857%22%20slang%3D%22en-US%22%3ERE%3A%20windows%20DHCP%20server%20logs%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1850857%22%20slang%3D%22en-US%22%3EOne%20way%20is%20to%20install%20the%20Microsoft%20Monitoring%20agent%20on%20the%20servers%20and%20then%20in%20Azure%20Sentinel%20go%20to%20Settings%20%3D%26gt%3B%20Workspace%20settings%20%3D%26gt%3B%20Advanced%20Settings%20%3D%26gt%3B%20Data%20and%20in%20the%20Windows%20Event%20Logs%2C%20select%20any%20of%20the%20DHCP%20event%20logs%20you%20want%20to%20ingest%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1851357%22%20slang%3D%22en-US%22%3ERE%3A%20windows%20DHCP%20server%20logs%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1851357%22%20slang%3D%22en-US%22%3Ethanks%20%2C%20i%20saw%20a%20similar%20solution%20via%20this%20url%20..%20i%E2%80%99ll%20give%20it%20a%20whirl%20and%20see%20what%20happens%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-windows-events%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-windows-events%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1853640%22%20slang%3D%22en-US%22%3ERE%3A%20windows%20DHCP%20server%20logs%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1853640%22%20slang%3D%22en-US%22%3Ehi%2C%20would%20this%20be%20for%20on%20prem%20servers%20or%20servers%20in%20azure.%20or%20both%20%3F%20how%20does%20sentinel%20know%20which%20servers%20to%20pull%20data%20from%20%3F%20or%20is%20it%20capturing%20dhcp%20events%20from%20anywhere%3F%20thanks%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1853758%22%20slang%3D%22en-US%22%3ERE%3A%20windows%20DHCP%20server%20logs%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1853758%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F850945%22%20target%3D%22_blank%22%3E%40roadruner%3C%2FA%3E%26nbsp%3BThis%20would%20work%20for%20either%20Azure%20or%20non-Azure%20computers.%26nbsp%3B%20If%20you%20set%20up%20the%20Data%20section%20to%20ingest%20the%20DHCP%20events%20logs%2C%20then%20this%20would%20apply%20to%20all%20Windows%20computers.%26nbsp%3B%20So%20the%20agent%20would%20look%20for%20those%20logs%20on%20all%20windows%20computers%2C%20although%20it%20should%20only%20find%20them%20on%20DHCP%20servers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20a%20new%20monitoring%20agent%20in%20public%20preview%20that%20would%20allow%20you%20to%20specify%20what%20logs%20to%20look%20at%20on%20which%20computers%20but%20it%20only%20works%20for%20Azure%20computers%20for%20the%20most%20part.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor
Does anyone know how to ingest Windows DHCP server logs to Sentinel ?

thanks
7 Replies
best response confirmed by roadruner (Occasional Contributor)
Solution
One way is to install the Microsoft Monitoring agent on the servers and then in Azure Sentinel go to Settings => Workspace settings => Advanced Settings => Data and in the Windows Event Logs, select any of the DHCP event logs you want to ingest
thanks , i saw a similar solution via this url .. i’ll give it a whirl and see what happens
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events
hi, would this be for on prem servers or servers in azure. or both ? how does sentinel know which servers to pull data from ? or is it capturing dhcp events from anywhere? thanks

@roadruner This would work for either Azure or non-Azure computers.  If you set up the Data section to ingest the DHCP events logs, then this would apply to all Windows computers.  So the agent would look for those logs on all windows computers, although it should only find them on DHCP servers.

 

There is a new monitoring agent in public preview that would allow you to specify what logs to look at on which computers but it only works for Azure computers for the most part.

great thanks , i take it i would see these dhcp logs , under Log Management/Event in Sentinel ?
That is correct
I'm trying to consume Microsoft-Windows-Dhcp-Server/AuditLog but nothing is coming in, even though the dhcp audit file is populating