14.12. Enabling DHCP Audit Logging

Problem

You want to enable DHCP Server audit logging to monitor activity the server is receiving or to use the logs as an audit trail in case a problem arises in the future.

Warning

Enabling logging on a busy DHCP Server can negatively impact performance. Monitor the server closely after initially turning on logging.

Solution

Using a graphical user interface

  1. Open the DHCP snap-in.

  2. In the left pane, right-click on DHCP and select Add Server.

  3. Type in the name of the DHCP Server you want to target and click OK.

  4. Right-click the server node and select Properties.

  5. On the General tab, check the box beside Enable DHCP audit logging.

  6. Click OK.

Using a command-line interface

Surprisingly, netsh doesn't allow you to enable DHCP audit logging. You can only modify the audit log file path (see Recipe 14.13). However, this setting is controlled via the registry. The following command enables auditing by setting the ActivityLogFlag value:

> reg add HKLM\System\CurrentControlSet\Services\DhcpServer\Parameters /v
ActivityLogFlag /t REG_DWORD /d 1

To disable auditing, use the same command except use /d 0 in place of /d 1.

Discussion

After you enable auditing on a DHCP Server, all DHCP requests, database maintenance events, and various errors will be logged to a file. By default, a separate file is generated for each day of the week and stored in %SystemRoot%\system32\dhcp. See Recipe 14.13 for more on how to store audit logs in a different directory. The files are named DhcpSrvLog-xxx.log ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.