How to collect Windows Server 2016 DHCP lease logs

[Halcyon Lin]

May I know the way to collect the DHCP Service Activity Log from Windows Server 2016 which is running as a DHCP server. I have configured to pull log from a testing file but it does not appear in the Wazuh Manager (Security Event Tab). Below is how I have configured in the agent ossec.conf file.

  <localfile>
    <location>DhcpSrvLog-Tue.log</location>
    <log_format>syslog</log_format>
  </localfile>

The logs are orignally located in "C:\Windows\System32\dhcp" folder. Here is the ruleset for decoding the DHCP logs including some example logs.

https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0110-ms_dhcp_rules.xml

Thanks in advance for your support.

[Jose Antonio Izquierdo]

Hi

I suppose the problem is that the agent does not collect the logs. Log collection happens in real-time, using new logs added to the monitored file.

Check that this is not an issue here. 

Another reason can be that the decoder/rules are not working with your logs. Can you check the archives on Wazuh-manager to see if there are any DHCP logs that are not in alerts.json? (archives /var/ossec/logs/archices/archives.json). Also, will be useful if you can share some DHCP logs so we can test in lab.

Let's try this to figure out where the problem is.

Thanks.

[João Soares]

I have the same problem, i was testing the same scenario last week but could not focus well, ill do more testing next week. But as i could check, the local agent log reports "ERROR 3: SYSTEM CANNOT FIND SPECIFIED PATH" but i've checked PATH and PERMISSIONS and both were correct at DHCP server. I took a log stream from DHCP server and tested at wazuh decoder/ruleset and both were working so i think that a local issue with the agent having some problem to collect the log. I tried even putting the log into another folder with more permissions but same problem.