This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Microsoft DHCP Server

    Samurai [Local] CollectorSamurai [Cloud] CollectorSamurai [Cloud Native] Collector
    Picture1.svg

    Use this document to install and configure the Filebeat agent to send Microsoft DHCP Server logs to Samurai using the Samurai Local Collector deployed in your network.

    To complete this Integration you will need to:

    1. Ensure correct network connectivity
    2. Download & Install Filebeat
    3. Configure & Enable DHCP Server Audit Logging
    4. Configure & Start Filebeat

    notice_icon.png This guide is based on the premise of a single Samurai Local Collector installation with deployment of a single Windows host with the DHCP Server service enabled and configured. Repeat these steps outlined in this guide for each Microsoft DHCP Server and site.

    Ensure correct network connectivity

    You must ensure the following connectivity requirements are fulfilled:

    SourceDestinationPortsDescription
    Microsoft DHCP Server HostSamurai Local CollectorTCP/5044For log transmission

    Download & Install Filebeat

    Perform the steps outlined in Step 1: Install Filebeat as per the vendor documentation.

    notice_icon.png Make sure to click the Windows tab for OS selection.

    Configure & Enable DHCP Server Audit Logging

    notice_icon.png DHCP Server Audit Logging should be enabled by default and these steps are used to validate that logging is enabled and determine the logging path.

    Configure via Powershell

    1. To view the DHCP Audit logging config, run the command Get-DhcpServerAuditLog.

      PS C:\> Get-DhcpServerAuditLogPath : C:\Windows\system32\dhcpEnable : TrueMaxMBFileSize : 70DiskCheckInterval : 50MinMBDiskSpace : 20

    2. Verify that the flag Enabled is set to True.

      1. In case logging is not enabled, run the commend Set-DhcpServerAuditLog. Example command with arguments is presented below.

        PS C:\> Set-DhcpServerAuditLog -Enable $True -Path C:\dhcp

      2. The DHCP server needs to be restarted after logging has been enabled, run the following command to restart the service.

        PS C:\> Restart-Service DHCPServer

    3. Note down the file path that has been configured, this will be used later in the section Configure & Start Filebeat.

    Configure & Start Filebeat

    1. Access the Filebeat installation folder and open and edit the file filebeat.yml.
    2. Modify the below template by replacing the section IP_OF_LOCAL_COLLECTOR with the IP address of the Samurai Local Collector.
    3. Modify the paths section of the template to use the path that was configured for the DHCP Server Audit log file location from Configure & Enable DHCP Server Audit Logging.
      notice_icon.png Follow the vendor documentation when configuring the paths section.
    # ============================== Filebeat inputs ===============================
filebeat.inputs:
  - type: filestream
    id: win_dhcp
    enabled: true
    paths:
      - 'C:\Windows\System32\dhcp\Dhcp*'
    include_lines: ['^\d+,(\d+\/){2}\d+,.*$']
    tags: [win_dhcp_server]
#------------------------------ Logstash Output -------------------------------
output.logstash:
  hosts: ["IP_OF_LOCAL_COLLECTOR:5044"]

    1. Replace the default configuration of filebeat.yml with the modified template and save the file.

    2. Perform the steps outlined in Step 5: Start Filebeat as per the vendor documentation to start the service.

      notice_icon.png Make sure to click the Windows tab for OS selection.

    Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.