5 Replies Latest reply on Dec 12, 2013 1:53 PM by nicole pauls

    DHCP Lease Assignment

    jonbutterworth

      Good Morning,

       

      I wonder if someone could be of assistance.

       

      I am looking at using LEM to be able to tie DHCP Lease Assignment to a specific user. It would be incredibly handy to be able to track which IP Address was assigned to which user, and device along with the specified time.

       

      I've looked through various options and tried different configurations... do we know if this is possible? And if so, how to go about capturing this data?

       

      I look forward to hearing your thoughts and advice.

       

      Thanks in advance..

       

      Jon

        • Re: DHCP Lease Assignment
          jonbutterworth

          Any update? Can someone help?

          • Re: DHCP Lease Assignment
            curtisi

            I don't have a DHCP server running the LEM Agent to test this in the lab, but...

             

            Windows DHCP Server 2000-2008 are supported as connectors in LEM.  The connectors read the directory for DHCP logs (which changes with each Windows iteration).

             

            It also appears, based on Microsoft Documentation, that those log files include date, time, assigned IP, hostname and MAC Address.  It also looks like events like renewals and releases are logged.

             

            Without a way to check this in the lab, I can't guarantee anything, but since you can deploy LEM free for 30 days and the connectors are there, it should be a simple thing to test.  You may have to update the default connector package to see the DHCP connectors.

              • Re: DHCP Lease Assignment
                bulldogryanb

                The current LEM DHCP Connector monitors the Windows System Log for DHCP events but Lease Assignments do not appear to be logged here by default.  That information appears to only be logged in the DHCP audit log.  See TechNet Article: More About DHCP Audit and Event Logging.  In it, it states: In Windows Server 2008, DHCP server log files are configured to manage log file growth and conserve disk resources by default. DHCP audit logs are located by default at %windir%\System32\Dhcp.

                 

                I verified this log path and lease assignments are listed in it but it does not appear to match the default location of the DHCP connector.  Is there a different tool or do I need to enable different auditing for these events to be listed in the Windows System event log?

                 

                I too would like to record DHCP lease assignments in LEM for forensics.

                  • Re: DHCP Lease Assignment
                    curtisi

                    I'm going to load up the DHCP services in my lab to take a look at it, but if a new connector is required, this will need to be a help desk ticket so we can gather the right information.  At the very least, we'd need sample log data (my log only gets two events since I'm not really an authorized DHCP host).

                    • Re: DHCP Lease Assignment
                      nicole pauls

                      We do have an additional DHCP connector that reads the DHCP events from the System event log - that does cover some additional info to what's in the actual DHCP log.

                       

                      The %windir%\system32\dhcp logs are what we read from the other DHCP connector.