Windows 2003 DHCP Server logs

[phish...@gmail.com]

I've taken some time and created a basic decoder as well as some rules
for a Windows Server 2003 DHCP server. I've not yet had an opportunity
to test but I plan to as early as tomorrow morning. Would anyone be
interested in something like this?

I thought this might be useful for tracking which host/machine had
which IP address at any given time. I currently use various open
source solutions for network mapping (switch ports, routers, etc.) but
I am in a m$ environment. I use m$ servers for DHCP and their logs
rotate weekly. I needed a better way to prove which machines had which
IP addresses at any given time.

Disclaimer: I'm a n00b with this project. I've been using it in a lab
environment on and off for the past year or so to see what I might be
able to do with it. I think it's an awesome project with a lot of
potential.

phishphreek

[Daniel Cid]

Hey,

Yes, that sounds very interesting. Please share with us :) If you need
any help, just ask.

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

[Derek J. Morris]

Any one hear for this user on this decoder?

[phish phreek]

To those who have been waiting for this. I'm sorry! I got side tracked with a bunch of other projects and I forgot to send this to the list. I'm in the process of setting up a Windows 2008 DHCP Server and I'll check to see that these rules work for 2008 too. I've tried to provide instructions on how to add this to your environment. Hopefully I didn't leave out any steps.

1. Modify the ossec.conf file on the DNS server to tell OSSEC to monitor the DHCP log. These logs rotate daily and then get overwritten weekly.

<ossec_config>
  <localfile>
    <location>%windir%\system32\dhcp\*.log</location>
    <log_format>syslog</log_format>
  </localfile>
</ossec_config>

2. Modify the decoder.xml file on the OSSEC server with the following decoder. It is located in the ossec /etc folder.

<decoder name="ms-dhcp">
  <prematch>\d+,\d+/\d+/\d+,\d+\p\d+\p\d+,</prematch>
  <regex>(\d+),\d+/\d+/\d+,\d+\p\d+\p\d+,(\.*),(\.*),(\.*),(\.*),(\.*)</regex>
  <order>id, action, srcip, system_name, extra_data, user</order>
</decoder>

3. Copy the attached ms_dhcp_rules.xml file in the OSSEC server's /rules directory.

NOTE: Since the dhcpd rules were 12100 range, I incremented my rule IDs to 12200 and up. Not sure if this is against policy since "user" signature IDs were supposed to be in the 10K range? I left the rule severity at level 5 until I better understand it and I wasn't completely sure what to put for the group in the rules. I'll probably change that at some point.

4. Edit the ossec.conf file in your OSSEC server's /etc directory to include the new rule set.

<include>ms_dhcp_rules.xml</include>

5. Restart ossec and it should now be working.

I've tested this extensively using the ossec-logtest utility and as far as I can tell, it is working pretty well.

Oh, I've also modified the WUI so I can choose to filter out DHCP messages only. Edit the ossec_formats.php file in the wui/lib/ folder. You want to modify the "Microsoft" array to look like this. Not sure how this format is going to come out after going through email and such, so I'll attach this email as a .txt file too.

        "Microsoft" => array(
                "Microsoft (all)"        => "windows|msftp|exchange|dhcp"
        ,       "Windows"                => "windows"
        ,       "MS Ftp"                 => "msftp"
        ,       "Exchange"               => "exchange"
        ,       "DHCP"                   => "dhcp"
        ),

Hope this is helpful for someone else out there. There have been times where I've had to be able to prove who had a certain IP address at a given time because they showed up in the proxy log for one reason or another.

Thanks,

phishphreek

[Derek J. Morris]

I put this in based on instructions but cant get the log to be read. Am I
missing anything here

-Derek Morris

[phish phreek]

The ruleset that I emailed didn't work for Server 2008. It seems that they've added two new event ids for 2K8 IPv4. IPv6. I've updated my ruleset file and separated the 2k3/2k8 ipv4 and 2k8 ipv6 rules. I'm not using IPv6 at this time, so I've just created a decoder and tested using what few log entries I could generate. I also had to create three separate decoders. One for the 2k3 ipv4, one for 2k8 ipv4 and one for 2k8 ipv6.

In the last rules file I emailed to the list, I choose IDs in the 12200 range since the named rules were in the 12100 range. I've left the ipv4 rules for 2k3 and 2k8 in the 12200 range and put the 2k8 ipv6 rules in the 12300 range.

Before I send the updated decoders and rules, I wanted to get a better understanding of the rule alert levels and rule groups. I've been looking over some of the documentation between the manual and the FAQs. I'm not sure that either of them are documented? I've also not been able to find valid "log types" to monitor. In my case, I just used syslog and it's working but I'm not sure if I should use something else?

Where can I find out the alert level scale? Or, how should I assign alert levels to my rules? I've set all my rules to alert level 5 to start.

Are the rule groups predefined or can I use my own? I've used some of the groups that I've seen defined in other rules such as "service_availability" but I've gone on to define my own such as "dhcp_lease_action","dhcp_maintenance","dhcp_dns_maintenance" and "dhcp_rogue_server".

Where is a list of valid log types that you define on the agent's ossec.conf file when you tell it to monitor a log?

When creating a decoder, the documentation lists the valid types. system_name is not listed as one of them but I've seen it used in other rules. Are there other allowed fields that are lot listed in the decoder.xml file? I've used the "extra_data" field to insert MAC addresses but would prefer to use a "MAC" field if it is available.

Thanks in advance.

[phishphreek]

My OSSEC server stopped processing these alerts as of midnight last
night. I noticed that logs timestamps are not changing. I don't know
how the OSSEC agent looks for the logs because I've told the agent to
look at *.log in the c:\windows\system32\dhcp folder. It successfully
processed Wednesday-Sunday's logs and then stopped. Once I restarted
the DHCP service, the timestamp on the log updated and OSSEC started
processing the logs and alerting as it should.

I've added an entry in the ossec.conf file on the DHCP server for each
day's log and restarted the agent. I don't think this is going to help
but we'll see...

[Michael Starks]

phish phreek wrote:
> In the last rules file I emailed to the list, I choose IDs in the 12200
> range since the named rules were in the 12100 range. I've left the ipv4
> rules for 2k3 and 2k8 in the 12200 range and put the 2k8 ipv6 rules in
> the 12300 range.

This will be OK for testing, but you're probably better of using rule
IDs in the user range of 100,000-120,000 so that there aren't any
conflicts during an upgrade. When they get accepted into the project,
Daniel will assign a unique group of IDs.

> Before I send the updated decoders and rules, I wanted to get a better
> understanding of the rule alert levels and rule groups. I've been
> looking over some of the documentation between the manual and the FAQs.
> I'm not sure that either of them are documented? I've also not been able
> to find valid "log types" to monitor. In my case, I just used syslog and
> it's working but I'm not sure if I should use something else?

OSSEC Rule ID Groupings and Best Practices:
http://ossec.net/wiki/index.php/Know_How:RuleIDGrouping

As to the log type, are the DHCP logs in the event log format? In that
case, you may want to try <type>windows</type>.

> Where can I find out the alert level scale? Or, how should I assign
> alert levels to my rules? I've set all my rules to alert level 5 to start.

This should help: http://ossec.net/wiki/index.php/Know_How:Rules_Severity

In my experience, however, simply use this as a guide. If there is
something that warrants a larger or smaller severity then simply use
good judgment.

> Are the rule groups predefined or can I use my own? I've used some of
> the groups that I've seen defined in other rules such as
> "service_availability" but I've gone on to define my own such as
> "dhcp_lease_action","dhcp_maintenance","dhcp_dns_maintenance" and
> "dhcp_rogue_server".

You can make up your own groups, but try to use the pre-defined groups
where it makes sense. More info here:
http://ossec.net/wiki/index.php/Know_How:Rule_Groups

> Where is a list of valid log types that you define on the agent's
> ossec.conf file when you tell it to monitor a log?

You can use strftime or globbing in the log name definition, otherwise,
just feed it a log file and use the decoder as a guide for the log type.
One hint: single line ASCII log files can be defined as syslog even if
they aren't properly syslog-formatted.

One final tip: use the local_decoder.xml file until this is accepted
into the project, because if you don't, you might lose all your work
during an upgrade!

[Derek J. Morris]

Update:

By adding all the days DHCP log files into my ossec.conf file on the Win2003
DHCP server we use worked, I now see the monitoring of the logs. Note: Restart
Ossec service, then DHCP Service, then Ossec service again. Will keep my eye on
it to make sure it still works ok after few days.

-Derek

[phishphreek]

> This will be OK for testing, but you're probably better of using rule
> IDs in the user range of 100,000-120,000 so that there aren't any
> conflicts during an upgrade. When they get accepted into the project,
> Daniel will assign a unique group of IDs.

I've gone back and changed the rules I've created to use the 120200
and 120300 range.

> OSSEC Rule ID Groupings and Best Practices:http://ossec.net/wiki/index.php/Know_How:RuleIDGrouping

Thanks! I've been having a bit of trouble locating documentation on
the website. I've printed and read the manual. I've slowly been going
through the wiki but I didn't see either of the links you've
posted... :( I do try to RTFM before asking questions, but I haven't
gotten down the navigation of the site's wiki.

> This should help:http://ossec.net/wiki/index.php/Know_How:Rules_Severity
>
> In my experience, however, simply use this as a guide. If there is
> something that warrants a larger or smaller severity then simply use
> good judgment.

I suppose that will be to be determined? ;) I've gone through and
changed them from the default 5 that I set. Hopefully the new alerts
I've set will be more appropriate.

> You can make up your own groups, but try to use the pre-defined groups
> where it makes sense. More info here:http://ossec.net/wiki/index.php/Know_How:Rule_Groups

I've updated my rules to use the predefined groups where it makes
sense.

> One final tip: use the local_decoder.xml file until this is accepted
> into the project, because if you don't, you might lose all your work
> during an upgrade!

I didn't know there was even an local_decoder until now...

I've moved my decoders over to local_decoder and it tested fine with
new SIDs, alert levels and grouping.

You're reply was most helpful! :) I'll reply again with the latest
rules files and local decoder file. I hope I can contribute more to
this project. I already have a couple of ideas on how else to utilize
OSSEC. I have several services/devices that I can write decoders/rules
for. I'm just trying to figure out the exact purpose of OSSEC and how
I should use it in my environment.

[phishphreek]

Great news. Mine is still alerting too. Feel free to email me directly
if you run into more problems. I'm only getting the digest of this
group.

On May 12, 9:15 am, "Derek J. Morris" <dmor...@digitalmorris.com>
wrote:

[phish phreek]

Here is the latest and *hopefully* final version. I've created three separate decoders for Windows DHCP server. One for Windows 2003 IPv4, one for Windows 2008 IPv4 and the last one for Windows 2008 IPv6. I'm not using IPv6, so I could only test a few log entries against the decoder. If someone is using 2K8 IPv6 and you can send me more logs, I'd be happy to test. Also, I'm pretty new to writing rules in regular expression. If you look at my decoders and think "WTF!", please let me know what I could do to make it better. ;)

I've moved my decoders from decoder.xml to local_decoder.xml as was recommended on the mailing list.

I've updated the ms_dhcp_rules.xml file to include 2 new rules from 2008 IPv4 as well as a separate section for 2008 IPv6 rules. I've changed them from the 12200/12300 range to 120200 for 2k3/2k8 IPv4 and 120300 for 2k8 IPv6. I also updated the alert levels to a little more reasonable level and I've changed the groups to match predefined groups when applicable.

The decoders also fixed a "bug" when trying to filter out the MAC address or "extra data". In the last decoder I posted, it didn't always get it right.

If you've followed my previous instructions, please remove the decoder from your OSSEC server's decoder.xml file and use the attached local_decoder.xml. If you're already using a local_decoder.xml file, then don't overwrite your copy with mine! Copy and paste the contents of mine into yours... Otherwise, the rest of the previous instructions still apply.

I'm still working out some possible bugs with the OSSEC agent monitoring the Windows logs. When I told the agent to monitor c:\windows\system32\dhcp\*.log it stopped monitoring on Sunday at Midnight. I'm not sure if that was due to timestamps not being updated or not. I've since added an entry in the OSSEC agent's ossec.conf file for each day's log and we'll see if that works better.

Will the dev team take notice of this on the list and decide if they want to include it in their project or do I need to send it elsewhere?

[Derek J. Morris]

Getting errors now:

2009/05/20 10:42:32 ossec-agent(1951): INFO: Analyzing event log: 'Application'.

2009/05/20 10:42:32 ossec-agent(1951): INFO: Analyzing event log: 'Security'.

2009/05/20 10:42:33 ossec-agent(1951): INFO: Analyzing event log: 'System'.

2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Sat.log'.

2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file:
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Sat.log'.

2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Sun.log'.

2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file:
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Sun.log'.

2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Mon.log'.

2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file:
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Mon.log'.

2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Tue.log'.

2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file:
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Tue.log'.

2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file
'c:\windows\system32\dhcp\DhcpSrvLog-Wed.log'.

2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file:
'c:\windows\system32\dhcp\DhcpSrvLog-Wed.log'.

2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'.

2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file:
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'.

2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Fri.log'.

2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file:
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Fri.log'.

2009/05/20 10:42:34 ossec-agent: INFO: Started (pid: 3848).

[Daniel Cid]

Hey,

I included those on the latest snapshot. I did a few changes so I
would like you to take a look:

-Modified the use of <match> to <id>
-Simplified the decoder to only extract the id, since we were not
using the other information
-Changed the ids to be in the 6300-6399 range (assigned now for MS DHCP)
-Changed the levels from some informative rules to 0 (like ip assigned, etc).

Can you test? Anyone here using ms dhcp to try it out?

Link: http://ossec.net/files/snapshots/ossec-hids-090528.tar.gz

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

[Derek J. Morris]

Installed the snapshot on my ossec server, restarted the ossec service on the
windows server that is running dhcp too, results in log from windows server:

2009/05/28 13:46:15 ossec-execd(1350): INFO: Active response disabled. Exiting.
2009/05/28 13:46:15 ossec-agent(1410): INFO: Reading authentication keys file.
2009/05/28 13:46:15 ossec-agent: INFO: Assigning counter for agent SERVERNAME:
'219:6044'.
2009/05/28 13:46:15 ossec-agent: INFO: Assigning sender counter: 35:1350
2009/05/28 13:46:15 ossec-agent: INFO: Trying to connect to server
(IPADDRESSREMOVED:1514).
2009/05/28 13:46:15 ossec-agent: Starting syscheckd thread.
2009/05/28 13:46:15 ossec-rootcheck: INFO: Started (pid: 3700).
2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry:
'HKEY_LOCAL_MACHINE\Software\Policies'.
2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry:
'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion'.
2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry:
'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion'.
2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry:
'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'.
2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry:
'HKEY_LOCAL_MACHINE\Software\Classes'.
2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry:
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'.
2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry:
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
2009/05/28 13:46:15 ossec-agent: INFO: Monitoring registry entry:
'HKEY_LOCAL_MACHINE\Security'.
2009/05/28 13:46:15 ossec-agent: INFO: Monitoring directory: 'C:\Windows/system32'.
2009/05/28 13:46:15 ossec-agent: INFO: Started (pid: 3700).
2009/05/28 13:46:16 ossec-agent(4102): INFO: Connected to the server
(IPADDRESSREMOVED:1514).
2009/05/28 13:46:16 ossec-agent: INFO: System is Vista or Windows Server 2008.
2009/05/28 13:46:16 ossec-agent(1951): INFO: Analyzing event log: 'Application'.
2009/05/28 13:46:16 ossec-agent(1951): INFO: Analyzing event log: 'Security'.
2009/05/28 13:46:34 ossec-agent(1951): INFO: Analyzing event log: 'System'.
2009/05/28 13:46:34 ossec-agent(1952): INFO: Monitoring variable log file:

'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'.

2009/05/28 13:46:34 ossec-agent(1103): ERROR: Unable to open file

'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'.

2009/05/28 13:46:34 ossec-agent(1950): INFO: Analyzing file:

'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'.

2009/05/28 13:46:34 ossec-agent: INFO: Started (pid: 3700).

[phish phreek]

Daniel,

Thanks for integrating them into the project. I've downloaded and installed the latest snapshot. I've also renamed my local_decoder.xml file so it wouldn't be included. I verified that the new decoder.xml file did have your decoders.

Ossec is not able to decode the logs with the decoders you created. I tested this via the ossec-logtest utility. When I enable my decoders, it works fine with the new rules file you created. I'm short on time this AM and can't troubleshoot much more at the moment. I'll see what I can do with it this afternoon or over the weekend.

Thanks again,

phishphreek

[Daniel Cid]

This error:

"2009/05/28 13:46:34 ossec-agent(1103): ERROR: Unable to open file"

Is not really related to the decoder/rules, since it happens way
before on the agent side. For
some reason when ossec tries to open the file, it fails.... Is there
a way to send me the content
of 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log' ?

Or even running "type 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'."
on the command prompt?

If there is one small typo in the file path ossec will not be able to open it.

As far as the decoder (and rules), I tried them using the log samples
provided in the rule file and
seemed to work (*make sure to remove your local decoders too):

2009/05/29 10:03:35 ossec-testrule: INFO: Started (pid: 22553).
ossec-testrule: Type one log per line.

24,3/10/2009,0:00:46,Database Cleanup Begin,,,,

**Phase 1: Completed pre-decoding.
full event: '24,3/10/2009,0:00:46,Database Cleanup Begin,,,,'
hostname: 'enigma'
program_name: '(null)'
log: '24,3/10/2009,0:00:46,Database Cleanup Begin,,,,'

**Phase 2: Completed decoding.
decoder: 'ms-dhcp-ipv4'
id: '24'

**Phase 3: Completed filtering (rules).
Rule id: '6316'
Level: '3'
Description: 'IP address cleanup operation has began.'
**Alert to be generated.

**Phase 1: Completed pre-decoding.
full event: '11011,05/05/09,10:50:55,DHCPV6 Stopped,,,,,,'
hostname: 'enigma'
program_name: '(null)'
log: '11011,05/05/09,10:50:55,DHCPV6 Stopped,,,,,,'

**Phase 2: Completed decoding.
decoder: 'ms-dhcp-ipv6'
id: '11011'

**Phase 3: Completed filtering (rules).
Rule id: '6362'
Level: '7'
Description: 'Stopped.'
**Alert to be generated.

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

[phish phreek]

Ok, the IPv6 logs decoder was working. However, the IPv4 decoder was not. The prematch that you had in the IPv4 was looking for a 4 digit year field instead of a 2 digit year. Looking back at the log samples I provided, they DO have a 4 digit year. The only thing I can think happened is that I imported the logs into excel to remove duplicate IDs and it must have changed the date field from a 2 digit year to a 4 digit year... Oops! I made the following change to the decoder and now it works.

From
<prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,</prematch>
To
<prematch>^\d\d,\d+/\d+/\d+,\d+:\d+:\d+,</prematch>
OR
<prematch>^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+,</prematch>

As far as the problem of the ossec-agent not being able to read the file, I'm not sure why that is cropping up. The ossec-agent I had on my dhcp server wasn't logging properly. I uninstalled the agent and reinstalled it and now it's logging. I'll see what else I can come up with from the logs. It does appear that after a week, the agent no longer detects changes to the log files until either the DHCP service is restarted or the ossec agent is restarted. Any idea why that would be happening?

I've tried to tell the ossec-agent to look just at %windir%\system32\dhcp\*.log and defined all of the following logs. In both cases, it stops detecting changes to the logs after one week.

I don't know how the ossec-agent determines there have been changes to a log. Is it when it detects a change in the log file itself or does it look at the timestamp or compare the file hash?

The way that the MS DHCP server logs is as follows: It writes to a log file per day in the following format.

05/24/2009  12:00 AM           160,246 DhcpSrvLog-Sat.log
05/25/2009  12:00 AM           202,731 DhcpSrvLog-Sun.log
05/26/2009  12:00 AM           159,728 DhcpSrvLog-Mon.log
05/27/2009  12:00 AM           237,552 DhcpSrvLog-Tue.log
05/28/2009  12:00 AM           218,171 DhcpSrvLog-Wed.log
05/29/2009  12:00 AM           284,141 DhcpSrvLog-Thu.log
05/29/2009  01:12 PM           145,251 DhcpSrvLog-Fri.log

When the day is over and it's time to move to the next log file, it clears the previous week's daily file and starts over. When it clears the log file, the log always begins with the following;

<file>
                     Microsoft DHCP Service Activity Log
<blank line>
<blank line>
Event ID  Meaning
00        The log was started.
01        The log was stopped.
02        The log was temporarily paused due to low disk space.
10        A new IP address was leased to a client.
11        A lease was renewed by a client.
12        A lease was released by a client.
13        An IP address was found to be in use on the network.
14        A lease request could not be satisfied because the scope's
          address pool was exhausted.
15        A lease was denied.
16        A lease was deleted.
17        A lease was expired.
20        A BOOTP address was leased to a client.
21        A dynamic BOOTP address was leased to a client.
22        A BOOTP request could not be satisfied because the scope's
          address pool for BOOTP was exhausted.
23        A BOOTP IP address was deleted after checking to see it was
          not in use.
24        IP address cleanup operation has began.
25        IP address cleanup statistics.
30        DNS update request to the named DNS server
31        DNS update failed
32        DNS update successful
50+       Codes above 50 are used for Rogue Server Detection information.
<blank line>
ID,Date,Time,Description,IP Address,Host Name,MAC Address
<insert events here and below, one alert per line>
</file>

Thanks again,

phishphreek

[Derek J. Morris]

Note for you:

On Windows 2008 32bit and 64bit DHCP or Windows 2003 64Bit DHCP, I had to move
the DHCP folder and Audit Logs out to C:\DHCP for the Ossec Agent on the Windows
server to start to open and read the files. I then made the change to the
decoder you mentioned below and works great now. Hope this helps!! Any questions
about it feel free to email me.

-Derek