Microsoft Dynamic Host Configuration Protocol (DHCP) is used as part of the IP address ↔ asset mapping. If an IP address is seen by InsightIDR in log data or endpoint data, InsightIDR needs to determine what asset to attribute the IP address to. It usually uses DHCP to do this.
You can configure this event source using two methods:
- Configure with a Domain Admin Account: Use this method if you want to collect logs using a Domain Admin account.
- Configure with NXLog: Use this configuration method if you don’t want to use a Domain Admin account to collect logs.
Logs are Not Parsed or Attributed
Time is important for attribution, so if multiple time zones appear in a single event-source, the data will be disregarded rather than misattributed. It is important that there be one event source per DHCP server or, if that is not possible, at least one event source for each time zone. For example, one event source for DHCP servers in EST and one for those in CST.
Microsoft DHCP Servers Logs
Microsoft DHCP and DNS servers use similar technology to produce audit logs. In both cases, when logging is enabled, the services log their activity to a configured location on the file system. In order to read those logs in InsightIDR, we provide file and directory watchers to automatically read in any changes to these log files. Share the folder that contains the log files in order to enable the collector to read these files over the network. This folder needs to be shared with a read-only credential that will also be provided to the DHCP and DNS event source configurations.
The DHCP servers assign addresses to network devices. InsightIDR uses DHCP information to tie users to their various assets and ever-changing IP addresses. This event source is critical for asset-to-IP correlation.
Rapid7 recommends that the folder for DHCP logging resides on the root (C) drive of the server that hosts the DHCP, for example, C:\dhcplogs.
By default, the Microsoft DHCP database and the logs are stored in the same folder. It is highly recommended that the logs be moved to a separate folder. If this is not possible, collection of the logs can be configured by using the option to specify a File Pattern, such as dhcpsrv*.log
Also, the recommendation is to share the folder where the logs are stored as a hidden share and give only the service account being used for the log collection read access to the share.
To enable logging from DHCP:
- Create a folder for the DHCP logs. C:\dhcplogs is the recommended directory for storing DHCP logs.
- Right click the folder and select Properties from the drop-down menu. In the Properties dialog, click the Sharing tab and then click the Advanced Sharing button.
- In the Advanced Sharing dialog, select Share this folder and then click the Permissions button.
- In the Share Permissions dialog, click the Add… button and provide the credential that accesses this file. Include the user name and password for this credential in InsightIDR when the DNS event source is set up.
- Launch the DHCP console.
- Right-click IPv4, and select Properties from the drop-down menu.
- Click the Advanced tab. In the Audit log file path field, change the destination folder to the folder that stores the DHCP logs.
It is strongly recommended that you select a folder other than the default folder that is used as the log folder. If you use the default folder, other DHCP binary files will also be present in this folder causing the InsightIDR DHCP event source to produce warnings when it tries to read these files. This may potentially disrupt the Microsoft DHCP service.
On the InsightIDR side, you can configure the DHCP event source to read the shared folder via UNC notation and by providing the credential that was used when setting up the shared folder. UNC notation is Microsoft's Universal Naming Convention which is a common syntax used to describe the location of a network resource. A file filter of DhcpSrvLog*.log should be used to ensure that only the DHCP log files are read by InsightIDR.
Configure With NXLog
If you do not wish to create a file share on your DHCP server, collecting and sending the logs with NXLog is an option. To use NXLog, you must install it on the DHCP server. NXLog will read the DHCP logs and send them to your InsightIDR Collector using syslog.
To configure with NXLog:
- Download and install NXLog. For instructions on how to do this, see the NXLog page.
- From your InsightIDR dashboard, select Data Collection on the left menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the User Attribution section, click the DHCP icon. The Add Event Source panel appears.
- Choose your collector.
- Select Microsoft DHCP as your event source and give it a descriptive name.
- Choose the time zone that matches the location of your event source logs.
- Leave the defaults for Inactivity timeout threshold and Active failover partner.
- Click the Listen on Network Port button.
- In the Port field, enter in a port you wish to use for this event source. You cannot use a port that you already use for another event source.
- For Protocol, use either UDP or TCP. Although this event source supports both protocols, be aware that NXLog must be configured to send logs using the protocol you select.
- Click Save.
- Follow the instructions in the Microsoft DHCP section of the NXLog page to edit the
nxlog.conffile to collect the Security Log and forward it to InsightIDR.