How can I send Windows DHCP logs to Wazuh?

[Joaquim António]

Hello Wazuh Team,

After enabling the logall option on the server side I'm not able to find any DHCP Server events. I configured the agent to monitor logs from the System, Security and Application event channels. Where can I find and what localfile configuration is needed to send these DHCP server logs?

Thank you for your time.

Best regards,

Joaquim Antonio

[Md. Nazmur Sakib]

Hi

Hope you are doing well. Thank you for using Wazuh.

To do this you use the Configuration for monitoring log files, you can find more information in the documentation.

The configuration should be on the DHCP server’s Wazuh agent ossec conf :

<localfile>

  <location>/<FILE_PATH_DHCP_LOG>/FileName.log</location>

  <log_format>syslog</log_format>

</localfile>

Restart the agent after saving the configuration

Check the file if new DHCP logs are added to the system.

/<FILE_PATH_DHCP_LOG>/FileName.log

Next, Check if relevant logs are forwarded to your Wazuh manager properly.

For this, You can try the following steps:

Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation:Wazuh Documentation | logall

This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint. After setting this option, restart the manager and check the archives.log file.

Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.

Look for if there are any logs inside the archive log which is relevant to DHCP. Use grep parameters related to the DHCP log.

cat /var/ossec/logs/archives/archives.log | grep Keywoard

I hope this helps. Let me know if you need any further assistance.

Regards
Md. Nazmur Sakib