Tuesday, July 26, 2011

AN Lesson-9

 Monitoring DHCP through Audit Logging

Q.        What is audit logging? Discuss how to locate and analyze DHCP audit logs in windows server 2003?

By default, all DHCP server activity is recorded and written daily to a text file. This DHCP logging feature, known as Audit Logging, allows you to monitor and troubleshoot DHCP server performance.

Exploring DHCP Audit Logging

  • The DHCP Server service writes daily audit logs to the folder WINDOWS\System32\Dhcp. These audit log files are text files named after the day of the week.
  • For example,DhcpSrvLog-Mon is the log file that records all DHCP server activity between midnight and 11:59 P.M. on Monday, and DhcpSrvLog-Tue is the log file that records all DHCP server activity between midnight and 11:59 P.M. on Tuesday. Audit log files are typically overwritten after seven days, at which time a new log file of the same name is created.
Locating the audit log file location





















Disabling audit logging





















Assuming the default is set, the largest size that the current audit log file can reach is 1 MB. Also by default, if the amount of disk space remaining on the server disk falls below 20 MB, audit logging is halted. When sufficient space again becomes available, DHCP audit logging resumes.

DHCP Server Log File Format
  • DHCP server logs are comma-delimited text files with each log entry representing a single line of text.
  • A log file entry contains the fields of ID, Date, Time, Description, IP Address, Host Name, and MAC Address. A comma is used to separate each field, even when a field is empty. For example, in the following log entry, two commas in a row indicate that both the IP Address and MAC Address fields are empty:
55,06/03/03,09:08:57,Authorized(servicing),,domain1.local,,

DHCP Server Log Fields

Field               
Description
ID                               

A DHCP server event ID code
Date                            

The date on which this entry was logged on the DHCP server
Time                            

The time at which this entry was logged on the DHCP server
Description                  

A description of this DHCP server event
IP Address                  

The IP address of the DHCP client
Host Name                  
The host name of the DHCP client
MAC Address             


The Media Access Control (MAC) address used by the network adapter hardware of the client
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)