DHCP
DHCP is one of the core event sources in InsightIDR, meaning it is critically important for user attribution. DHCP servers lease IP addresses to endpoints on the network; InsightIDR monitors these lease events, allowing the tool to map IP addresses back to hostnames in your environment. Understanding these relationships is critical, as many other event sources will only include IP addresses in their logs. With DHCP data, InsightIDR will automatically correlate IP addresses with endpoints.
InsightIDR will reinforce hostname to IP mappings via the Insight Agent.
Using Azure in your environment? Click here for more information.
Before You Begin
You must do several things before you can start collecting DHCP logs.
First, decide how to collect your DHCP logs:
Then, decide how to address the following issues:
After you make these decisions, you can configure one of the InsightIDR DHCP event sources:
- Alcatel-Lucent VitalQIP
- Bluecat DNS/DHCP
- Cisco IOS
- Cisco Meraki DHCP
- Dnsmasq DHCP
- Infoblox Trinzic
- ISC dhcpd
- Microsoft DHCP
- MikroTik
- Rapid7 Universal DHCP
- Sophos UTM
DHCP Server Logs via Watch Directory
The Insight platform can collect DHCP audit logs. To prepare to collect the DHCP audit trail, DHCP logs need to be written into a folder that the collector can connect to as a network share. This folder should be changed from the default location and should contain only the DHCP logs.
Do not use the default folder location.
If you use the default folder, other DHCP binary files will also be present in this folder, causing the InsightIDR DHCP event source to produce warnings when it tries to read these files. This may potentially disrupt the Microsoft DHCP service.
Rapid7 recommends that the folder for DHCP logging resides on the root (C) drive of the server that hosts the DHCP. For example, C:\dhcplogs
To start collecting DHCP server logs:
- Create a folder for the DHCP logs.
C:\dhcplogs
is the recommended directory for storing DHCP logs. - Right click the folder and select Properties from the dropdown menu.
- In Properties, click the Sharing tab. Select Advanced Sharing.
- In Advanced Sharing, select Share this folder and then click Permissions.
- In Share Permissions, click Add. Provide the credential that accesses this file. Include the username and password for this credential in InsightIDR when the DNS event source is set up.
- Launch the DHCP console.
- Right click IPv4 and select Properties from the dropdown menu.
- Click the Advanced tab. In the
Audit log file path
field, change the destination folder to the folder that stores the DHCP logs.
How to Configure This Event Source with Watch Directory
In InsightIDR, you can configure the DHCP event source to read the shared folder using UNC notation (Universal Naming Convention) and by providing the credential that was used when setting up the shared folder.
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for a DHCP event source in the event sources search bar.
- In the Product Type filter, select DHCP.
- Select the tile for the DHCP event source to configure.
- Choose your collector. You can also name your event source if you want.
- Choose a time zone. You have the option to display US time zones only.
- Optionally choose to send unfiltered logs.
- Configure any Advanced Event Source Settings.
- Select Watch Directory as your collection method.
- Specify the folder path you previously configured and enter a scan interval.
- Optionally select a file pattern and watch a shared remote directory, such as
DhcpSrvLog*.log
. - Click Save.
DHCP Logs via Syslog
Before you can setup a DHCP event source to Listen on Network Port, ensure that the DHCP host is logging all DHCP activity.
Additionally, make sure you configure the DHCP host to send logs to a collector on a unique UDP or TCP port (above 1024) and by specifying it as a syslog server.
How to Configure This Event Source with Syslog
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for a DHCP event source in the event sources search bar.
- In the Product Type filter, select DHCP.
- Select the DHCP event source tile.
- Choose your collector. You can also name your event source if you want.
- Choose a time zone. You have the option to display US time zones only.
- Optionally choose to send unfiltered logs.
- Configure any Advanced Event Source Settings.
- Select Listen on Network Port and specify a port and a protocol.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.
DHCP Coverage
In a full deployment, you'll need to configure DHCP event sources for all DHCP servers in your environment. If you notice unknown values for assets or users in Log Search (such as in the screenshot below), it is typically due to lacking DHCP data.
Unknown IP Addresses
When possible, configure additional DHCP event sources and/or endpoint monitoring so that InsightIDR can correlate these IP addresses with hostnames.
See IP Addresses for more information.
Azure and DHCP
For InsightIDR, the user attribution relies on accurate and up-to-date hostname to IP mappings, which are typically provided by a DHCP server. While Azure does have an API to provide a listing of all the Azure hosts and the corresponding IP addresses, the API does not update in realtime and therefore cannot be used for attribution in InsightIDR.
In order to attribute assets in an Azure environment, you must install the The Insight Agent, on all assets in your Azure environment, and provision a Collector in your Azure network to deliver the agent logs to InsightIDR (no event sources are required to be installed on this Collector to support the Insight Agent). The agent will provide up to date hostname to IP information for the assets it is installed on.
Troubleshooting Configuration Issues
If the DHCP or DNS event sources experience an error, the event source icon will turn to a yellow warning or red failure. Moving the mouse over the icon will reveal the details of the error. Typical errors of this sort are failure to connect to the server, bad credentials, or failure to find the file or folder configured in the event source.
Sometimes the DHCP and DNS event sources might not be reading any logs even if they don't show a warning or error. In this situation, try the following tests.
- Can you connect to the DHCP or DNS server file share when you log on to the machine running the InsightIDR collector?
- Is there a typo in the file pattern in the DHCP configuration? If the file pattern is wrong, none of the files in the directory will match.
- Has srv.sys been set to start on demand on the server? Srv.sys should be set to start on demand. For more information, please read Srv.sys.