DHCP 2012 Audit Logging Monitor - Microsoft.Windows.DHCPServer.2012.IPv6Runtime.UnitMonitor.Auditing (UnitMonitor)

Microsoft.Windows.DHCPServer.2012.IPv6Runtime.UnitMonitor.Auditing (UnitMonitor)

This monitor checks if the log audit is being configured

Knowledge Base article:

Summary

Dynamic Host Configuration Protocol version 6 (DHCPv6) runtime includes normal operating functions of the DHCPv6 server. Examples of these functions include lease issuance and rogue detection.

Dynamic Host Configuration Protocol version 6 (DHCPv6) servers include several logging features and server parameters that provide enhanced auditing capabilities. You might need to configure log settings to prevent the log from filling up or to give the server permissions to write to the log. You can configure the following properties to keep your DHCP server logs healthy:

The audit log file path
A maximum size restriction
An interval for disk checking
A minimum size requirement

Causes

DHCPv6 has determined that the audit log cannot be written to because it is full or cannot be accessed. The DHCP server will continue to function properly, but audit events will not be recorded until the log is writable.

Resolutions

Resolution: Remove old audit log files or increase the maximum audit log size

If the disk is full or the maximum log size is reached, the DHCP server closes the current file and ignores further requests to log audit events until either midnight or until disk status is improved and the disk is no longer full. If the disk is full, you can add more physical disk space, increase the maximum audit log size, or delete old log files from the default log directory: %windir%\System32\Dhcp.

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

To increase the maximum audit log size:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

Click Start, type regedit in Start Search, click Continue, and then press ENTER.
In the registry tree, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters, and then press ENTER.
Double click DhcpLogFilesMaxSize, select Decimal, and then type a number greater than the current number in Value data.

Additional

Verifier: Server is logging DHCP events

To verify that the DHCP audit log is functioning correctly:

At the DHCP server computer, click Start, type Windows Explorer in Start Search, and then press ENTER.
Navigate the Windows Explorer tree to %windir%\System32\Dhcp.
View and record the most recent DHCP log file date stamps. They should be recent. Repeat this process at regular intervals and note whether new events are being logged.

Element properties:

Target

Microsoft.Windows.DHCPServer.2012.IPv6Runtime

Parent Monitor

System.Health.SecurityState

Category

StateCollection

Enabled

True

Alert Generate

True

Alert Severity

MatchMonitorHealth

Alert Priority

Normal

Alert Auto Resolve

True

Monitor Type

Microsoft.Windows.SingleEventLogManualReset2StateMonitorType

Remotable

True

Accessibility

Public

Alert Message

DHCP 2012 Audit Logging Alert

{0}

RunAs

Default

Source Code:

<UnitMonitor ID="Microsoft.Windows.DHCPServer.2012.IPv6Runtime.UnitMonitor.Auditing" Accessibility="Public" Enabled="true" Target="Microsoft.Windows.DHCPServer.2012.IPv6Runtime" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.SingleEventLogManualReset2StateMonitorType" ConfirmDelivery="true"> <Category>StateCollection</Category> <AlertSettings AlertMessage="Microsoft.Windows.DHCPServer.2012.IPv6Runtime.UnitMonitor.Auditing_AlertMessageResourceID"> <AlertOnState>Warning</AlertOnState> <AutoResolve>true</AutoResolve> <AlertPriority>Normal</AlertPriority> <AlertSeverity>MatchMonitorHealth</AlertSeverity> <AlertParameters> <AlertParameter1>$Data/Context/EventDescription$</AlertParameter1> </AlertParameters> </AlertSettings> <OperationalStates> <OperationalState ID="Warning" MonitorTypeStateID="EventRaised" HealthState="Warning"/> <OperationalState ID="Success" MonitorTypeStateID="ManualResetEventRaised" HealthState="Success"/> </OperationalStates> <Configuration> <ComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName> <LogName>System</LogName> <Expression> <And> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="UnsignedInteger">10011</Value> </ValueExpression> </SimpleExpression> </Expression> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="String">PublisherName</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="String">Microsoft-Windows-DHCP-Server</Value> </ValueExpression> </SimpleExpression> </Expression> </And> </Expression> </Configuration> </UnitMonitor>