Microsoft DHCP Integration Guide
This guide provides configuration instructions for Microsoft Dynamic Host Configuration Protocol (DHCP) logging in order to transmit the logs for security monitoring by other agents. Supported agents can be found at Connect Microsoft Windows Event Log.
The Secureworks® Taegis™ XDR On-Premises Data Collector accepts DHCP logs in a comma-delimited format.
Connectivity Requirements ⫘
|Taegis™ XDR Collector (mgmt IP)
Data Provided from Integration ⫘
Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Logging Configuration Instructions ⫘
Windows servers must be configured to send DHCP logs via syslog to the Taegis™ XDR Collector.
Please refer to the vendor’s site for configuration guidance.
The data source must be configured to report timestamps as UTC to ensure that Secureworks® Taegis™ XDR reports the correct time zone.
NXLog CE does not support changing the timestamp into UTC. If that is required, a different product like NXlog Enterprise Edition is required.
An example of logging instructions:
If using the NXLog Template for DHCP logging, ensure the DHCP Logs File path listed in the template matches the Audit log file path configuration setting on the server.
Sample Logs ⫘
January 1 2021 01:01:01 10.10.10.10 DHCPLog: 10,01/01/01,01:01:01,Assign,192.0.2.10,sampleHost1,000000000000,,17739,0,,,
January 1 2021 01:01:01 10.10.10.10 DHCPLog: 10,01/01/01,01:01:01,Assign,192.0.2.20,sampleHost2, 000000000000,,3096562285,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0