DHCP Troubleshooting

In a successful setup, the following will occur between your DHCP Server, its assets, and InsightIDR:

  • IP assignment log comes into the collector
  • The Collector makes a DNS request to see what computer now has the new IP address
  • The Collector sends the new IP address and the machine name log to backend servers
  • The events per minute (EPM) will show up for that event source

However, you may experience difficulties between your DHCP and InsightIDR, depending on the setup of your environment.

When assigning a dynamic IP address, some DHCP servers do not provide the name of the machine in their audit logs. This makes it challenging for a collector to figure out which machine has just been assigned a new IP address.

Use one of the following solutions to resolve your issues:

InsightIDR Unable to Produce EPM

If your DHCP server does not produce identifying logs, InsightIDR is unable to generate events per minute for that event source.

Try the following solutions in order to confirm whether or not there is an issue with InsightIDR:

  1. Replace the DHCP event source with a generic syslog to confirm InsightIDR is receiving logs. If generic syslog does not produce EPM, check your network or the appliance sending logs for errors.
  2. Use the Collector to make DNS requests to the IP address range that the DHCP server assigns. If the Collector cannot retrieve machine names for the IP range, it will not generate EPM.

Tombstone Errors

A tombstone error indicates a DHCP or VPN event source is in an error state or is not receiving data, or the event source's collector is not communicating with the Insight platform. Therefore, it is not attributing data from the incoming IP addresses to the users.

Because Tombstone errors are specific to the connected event sources, you should examine the details of the error to find out the specific event source that is malfunctioning.

Tombstone errors prevent InsightIDR from attributing activity to your users.

Any assets within the IP range observed from the event sources will no longer attribute activity from firewall, DNS queries, etc, to your users and assets.

Static Environment

In the situation where a network lacks DHCP servers and is entirely composed of fixed-IP systems, InsightIDR can still support the environment, with special setup instructions for the Collector. This method is not foolproof, but is intended to be a supplementary option for your environment.

It is recommended that you also use Microsoft Active Directory, LDAP, and Domain Controllers in your environment with this setup.

  1. When setting up the core event sources on the Collector page, set the expected number of DHCP server count to "0"
  2. Reload the page in the browser. If you've added LDAP and Active Directory, you'll now be able to add additional event sources.
  3. InsightIDR will still use ActiveDirectory logs and the Endpoint Monitor as long as these are Windows assets in order to tie the fixed IP to specific assets.

Non-Windows Machines

In order for InsightIDR to discover non-windows assets, make sure you specify the static IP addresses or ranges for InsightIDR to scan. InsightIDR will use DNS to discover the host names for these IP addresses in order to attribute traffic to the asset.