DHCP Server 2016 and 1709+ Policy Drop Packets in Fail Over Monitoring Rule

Microsoft.Windows.DHCPServer.10.0.Policy.FailOver.PacketDrop (Rule)

Alert when policy drop packets events are inserted in DHCP log

Knowledge Base article:

Element properties:

Member Modules:

Source Code:

<Rule ID="Microsoft.Windows.DHCPServer.10.0.Policy.FailOver.PacketDrop" Enabled="true" Target="Microsoft.Windows.DHCPServer.10.0.Server" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Custom</Category>

  <DataSources>

    <DataSource ID="LogDS1" TypeID="AppLog!System.ApplicationLog.GenericCSVLog.FilteredEventProvider">

      <LogFileDirectory>%windir%/system32/dhcp</LogFileDirectory>

      <LogFilePattern>DhcpSrvLog-*.log</LogFilePattern>

      <LogIsUTF8>false</LogIsUTF8>

      <Separator>,</Separator>

      <Expression>

        <SimpleExpression>

          <ValueExpression>

            <XPathQuery Type="String">Params/Param[1]</XPathQuery>

          </ValueExpression>

          <Operator>Equal</Operator>

          <ValueExpression>

            <Value Type="String">10</Value>

          </ValueExpression>

        </SimpleExpression>

      </Expression>

    </DataSource>

    <DataSource ID="LogDS2" TypeID="AppLog!System.ApplicationLog.GenericCSVLog.FilteredEventProvider">

      <LogFileDirectory>%windir%/system32/dhcp</LogFileDirectory>

      <LogFilePattern>DhcpSrvLog-*.log</LogFilePattern>

      <LogIsUTF8>false</LogIsUTF8>

      <Separator>,</Separator>

      <Expression>

        <SimpleExpression>

          <ValueExpression>

            <XPathQuery Type="String">Params/Param[1]</XPathQuery>

          </ValueExpression>

          <Operator>Equal</Operator>

          <ValueExpression>

            <Value Type="String">36</Value>

          </ValueExpression>

        </SimpleExpression>

      </Expression>

    </DataSource>

  </DataSources>

  <ConditionDetection ID="Correlator" TypeID="System!System.CorrelatorAutoCondition">

    <Correlator>

      <CorrelationExpression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery>Item0:EventData/DataItem/Params/Param[7]</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value>Item1:EventData/DataItem/Params/Param[7]</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </CorrelationExpression>

      <Count>1</Count>

      <Interval>86400</Interval>

      <CorrelationOrder>InSequence</CorrelationOrder>

      <CorrelationItemPolicy>First</CorrelationItemPolicy>

    </Correlator>

  </ConditionDetection>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.Windows.DHCPServer.10.0.Policy.FailOver.PacketDrop.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</AlertParameter1>

        <AlertParameter2>$Data/Context/DataItem/Item1Context/DataItem/Params/Param[4]$</AlertParameter2>

        <AlertParameter3>$Data/Context/DataItem/Item0Context/DataItem/Params/Param[5]$</AlertParameter3>

      </AlertParameters>

    </WriteAction>

  </WriteActions>

</Rule>