DHCP activity logging allows Administrators to monitor DHCP Server configuration changes.
IT Administrators typically managing a very distributed environment would like to have certain auditing feature deployed for critical infrastructure services like DHCP that is servicing the network. Also the audit data are required to satisfy the requirements of certain external regulatory compliance of the organization.
Understood the significance of auditing, IT Administrators would like to have the auditing enabled for feature like DHCP Scope configuration of the DHCP Service. Especially because Scope configuration impacts the availability of range of IP Addresses to DHCP clients, subnet association based on IP Address scheming, exclusion of specific or group of addresses from the range, DHCP options that allows DHCP clients to access remote networks, lease duration on the issued IP Address to DHCP clients.
DHCP activity logging allows you to monitor configuration changes of the DHCP Server. Logging is used for network security / IT compliance auditing purposes.
Logged events include exclusion IP ranges, reservations, filters and scope options. Events also record tracking information, including the date and time of the event, the IP address and host name of the DHCP Server on which the event occurred, and the user name of the administrator who made the change.
Logged events can be viewed in the following location in Event Viewer:
Applications and Services Logs\Microsoft\Windows\DHCP-Server\Microsoft-Windows-DHCP Server Events/Operational
Target | Microsoft.Windows.2008R2.DHCP.Server.Role | ||
Parent Monitor | System.Health.ConfigurationState | ||
Category | ConfigurationHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | MatchMonitorHealth | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.Windows.SingleEventLogManualReset2StateMonitorType | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Microsoft.Windows.2008R2.DHCP.Server.Monitor.ActivityLogging" Accessibility="Public" Enabled="true" Target="Microsoft.Windows.2008R2.DHCP.Server.Role" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.SingleEventLogManualReset2StateMonitorType" ConfirmDelivery="true">
<Category>ConfigurationHealth</Category>
<AlertSettings AlertMessage="Microsoft.Windows.2008R2.DHCP.Server.Monitor.ActivityLogging_AlertMessageResourceID">
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>MatchMonitorHealth</AlertSeverity>
</AlertSettings>
<OperationalStates>
<OperationalState ID="UIGeneratedOpStateId90f842ab01b941399bed63839bcafb95" MonitorTypeStateID="EventRaised" HealthState="Warning"/>
<OperationalState ID="UIGeneratedOpStateIdac560ae0bcfb4e0996d9a939e62ab066" MonitorTypeStateID="ManualResetEventRaised" HealthState="Success"/>
</OperationalStates>
<Configuration>
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Microsoft-Windows-Dhcp-Server/Operational</LogName>
<Expression>
<And>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>MatchesRegularExpression</Operator>
<Pattern>^(70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|87|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|106|107|108|109|110|111|112|113|114|115|116|119|120|121|122|123|124|125|126|127|128|129|130|131|132|157|133|134|135|136|137|138|139|140|141|142|143|144|145|147|148|149|150|151|152|153|154|156)$</Pattern>
</RegExExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>DHCP</Pattern>
</RegExExpression>
</Expression>
</And>
</Expression>
</Configuration>
</UnitMonitor>