DHCP Setup and Configuration
To monitor DHCP events, Tenable provides two examples using Windows Server 2019 and CentOS7 as DHCP servers. These configurations use many of the default settings. However, Tenable does not provide support for configuring DHCP services on a customer’s network.
Windows DHCP
DHCP server logs can be tracked in the same way as any other log type. You can add the Windows DHCP server logs during installation.
To add new log sources after installation, add entries to the inputs.conf file (see the configuration example below):
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
Configuration file - [monitor://C:/Windows\System32\dhcp]sourcetype = dhcp
Settings -
-
crcSalt - <SOURCE>
-
alwaysOpenFile - 1
-
disabled - false
-
whitelist - Dhcp.+\.log
Note: If you are not using the default install path for your Windows server, you can find the path in your server settings:
-
Open the DHCP Microsoft Management Console.
-
Right-click your server.
-
Click Properties.
-
Open the Advanced tab.
The Audit log file path is the installation path.
Linux DHCP
For Linux based DHCP servers, tail the DHCP log to add it to the input.conf file:
> /opt/splunkforwarder/bin/splunk add monitor /var/log/dhcpd.log