LogLogic Microsoft Dynamic Host Configuration Protocol (DHCP) Log Configuration Guide

(1)

LogLogic Microsoft Dynamic Host

Configuration Protocol (DHCP) 

Log Configuration Guide

Document Release: September 2011

Part Number: LL600026-00ELS090000

(2)

© 2011 LogLogic, Inc.

Proprietary Information

This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. 

In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or

translated except as permitted in writing by LogLogic, Inc.

Trademarks

LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United

States and/or foreign countries. All other company or product names are trademarks or registered

trademarks of their respective owners.

Notice

The information contained in this document is subject to change at any time without notice. All

warranties with respect to the software and accompanying documentation are set our exclusively in the

Software License Agreement or in the Product Purchase Agreement that covers the documentation.

(3)

Preface

About This Guide . . . . 5

Technical Support . . . . 5

Documentation Support . . . 5

Conventions. . . 6

Chapter 1 – Configuring LogLogic’s Microsoft DHCP Log Collection

Introduction to Microsoft DHCP. . . 7

Prerequisites . . . 8

Configuring Microsoft DHCP for Audit Logging . . . 8

Changing the Path of the Audit Log File . . . 9

Audit Log File Rotation Policy . . . 10

Configuring Microsoft DHCP for Operational Events. . . 10

Installing and Configuring Project Lasso . . . 10

Enabling the LogLogic Appliance to Capture Log Data . . . 11

Configuring the LogLogic Appliance for Data and File Collection . . . 11

Automatically Identifying a Microsoft DHCP Device . . . 12

Adding Microsoft DHCP Device . . . 13

Creating File Transfer Rules . . . 14

Verifying the Configuration . . . 16

Chapter 2 – How LogLogic Supports Microsoft DHCP

How LogLogic Captures Microsoft DHCP Log Data . . . 18

Supported Microsoft DHCP Log Data . . . 19

LogLogic Real-Time Reports . . . 20

LogLogic Search Filters . . . 20

Chapter 3 – Troubleshooting and FAQ

Troubleshooting . . . 23

Problems Retrieving Log Files Using Configured File Transfer Rules. . . 24

Frequently Asked Questions . . . 25

(4)

(5)

Preface

About This Guide

The LogLogic® Appliance-based solution lets you capture and manage log data from all types of

log sources in your enterprise. The LogLogic support for Microsoft® Dynamic Host Configuration

Protocol (DHCP) enables LogLogic Appliances to capture logs from machines running Microsoft

DHCP.

Once the logs are captured and parsed, you can generate reports and create alerts on Microsoft

DHCP’s operations. For more information on creating reports and alerts, see the LogLogic User

Guide and LogLogic Online Help.

Technical Support

LogLogic is committed to the success of our customers and to ensuring our products improve

customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to

use and maintain, occasional assistance might be necessary. LogLogic provides timely and

comprehensive customer support and technical assistance from highly knowledgeable,

experienced engineers who can help you maximize the performance of your LogLogic Appliances.

To reach LogLogic Customer Support:

Telephone: Toll Free—1-800-957-LOGS

Local—1-408-834-7480

EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970

You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. 

When contacting Customer Support, be prepared to provide:



Your name, email address, phone number, and fax number



Your company name and company address



Your machine type and release version



A description of the problem and the content of pertinent error messages (if any)

Documentation Support

Your feedback on LogLogic documentation is important to us. Send e-mail to

if you have questions or comments. Your comments will be

reviewed and addressed by the LogLogic technical writing team.

(6)

Conventions

LogLogic documentation uses the following conventions to highlight code and command-line

elements:



A monospace font is used for programming elements (such as code fragments, objects,

methods, parameters, and HTML tags) and system elements (such as filenames, directories,

paths, and URLs).



A monospace bold font is used to distinguish system prompts or screen output from

user responses, as in this example:

username: system

home directory: home\app



A monospace italic font is used for placeholders, which are general names that you

replace with names specific to your site, as in this example: 

LogLogic_home_directory\upgrade\

(7)

Chapter 1 – Configuring LogLogic’s Microsoft DHCP

Log Collection

This chapter describes configuration steps that enable a LogLogic Appliance to capture Microsoft

DHCP logs. The configuration steps assume that you have a functioning LogLogic Appliance that

can be configured to capture Microsoft DHCP log data.

Introduction to Microsoft DHCP . . . 7

Prerequisites . . . 8

Configuring Microsoft DHCP for Audit Logging . . . 8

Configuring Microsoft DHCP for Operational Events . . . 10

Enabling the LogLogic Appliance to Capture Log Data . . . 11

Verifying the Configuration . . . 16

Introduction to Microsoft DHCP

The LogLogic Appliance enables you to capture Microsoft DHCP audit and operational log data.

Audit log events can capture critical information about Microsoft DHCP server that is essential to

meet compliance requirements. For example, Microsoft DHCP provides options to audit server

startup, shutdown, and restart status. It also gives information related to the server’s

authorization status with Active Directory and records lease, renew, and update actions with the

Domain Name System (DNS) database. Operational log event information is posted in Windows

System logs. These logs contain information related to DHCP server configuration changes and its

status information.

Note: LogLogic support is limited to Windows Server 2003, 2008 events. For more information, see

Supported Microsoft DHCP Log Data on page 19.

Microsoft DHCP audit logs are captured via file pull using a file transfer rule. Microsoft DHCP

operational logs are captured by LogLogic’s open source Windows Event Collector, Project Lasso.

The Windows Event Collector can run in one of the following modes, Agent Mode, Collector

Mode, or both (i.e., a hybrid mode). Regardless of the mode used, all collected operational logs are

forwarded to the LogLogic Appliance using Syslog via UDP or TCP.

(8)

Prerequisites

Prior to configuring Microsoft DHCP and the LogLogic Appliance, ensure that you meet the

following prerequisites:



Microsoft DHCP Service installed on Windows Server 2003, 2008 with SP1 or SP3



Administrative access on the DHCP server



For operational logs: Project Lasso Release 4.0 or later installed on the DHCP server. For

more information, see the LogLogic Windows Event Collector Guide (Project Lasso).



For audit logs: 3rd-party FTP, FTP(S), HTTP(S), CIFS, SCP, and/or SFTP server software

installed for any platform that does not have these capabilities by default. For more

information, see

Configuring the LogLogic Appliance for Data and File Collection

on page 11.



LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that

includes Microsoft DHCP Server support



Administrative access on LogLogic Appliance

Configuring Microsoft DHCP for Audit Logging

Audit logging is configured by default on a Microsoft DHCP server. Make sure that your

configuration matches the one described in the following steps.

To enable Microsoft DHCP server logging:

1. Log in to the Microsoft DHCP server.

2. From the Windows Start menu, select Settings > Control Panel.

3. Double-click Administrative Tools.

4. Double-click DHCP.

The DHCP console appears.

5. Expand the tree on the left, and select the applicable DHCP server from the list.

6. On the Action menu, click Properties.

7. On the General tab, select the Enable DHCP audit logging checkbox.

(9)

Figure 1 DHCP Console

Changing the Path of the Audit Log File

Only the directory path in which the Microsoft DHCP server stores audit log files can be modified

using the DHCP console, and not the filename. The DHCP server service bases the name of the

audit log file on the current day of the week, as determined by checking the current date and time

at the server. For example, when the DHCP server starts, if the current date and time is:

Monday, April 7, 2011, 04:56:42 P.M.

Then the server audit log file is namedDhcpSrvLog-Mon.

To change the path of the audit log file:

1. Log in to the Microsoft DHCP server.

2. From the Windows Start menu, select Settings > Control Panel.

3. Double-click Administrative Tools.

4. Double-click DHCP.

The DHCP console appears.

(10)

6. On the Action menu, click Properties.

7. Click the Advanced tab.

8. Edit Audit log file path as necessary and click OK.

Audit Log File Rotation Policy

Microsoft DHCP server rotates the files based on days. By default, at 12:00 a.m. local time on the

server machine, the DHCP server closes the existing log and moves it to the log file for the next

day of the week. For example, if the day of the week changes at 12:00 a.m. from Wednesday to

Thursday, the log file named DhcpSrvLog-Wed is closed and the file named DhcpSrvLog-Thu is

opened and used for logging events.

If the disk is full, the DHCP server closes the current file and ignores further requests to log audit

events until either 12:00 a.m. or until the disk is no longer full. The disk is considered full if either

of the following conditions is true:



Disk space on the server machine is lower than the required minimum amount for DHCP

audit logging. By default, if the amount of disk space remaining on the server disk reaches less

than 20 MegaBytes (MB), audit logging is halted.



The current audit log file is larger than one-seventh of the size for the combined total of all

audit logs currently stored on the server.

Configuring Microsoft DHCP for Operational Events

Microsoft DHCP server operational events are posted in the Windows Event Viewer. The events

are located in the System logs under the DHCP server with DHCP as the source. These events can

be captured by LogLogic Appliance using Project Lasso.

Installing and Configuring Project Lasso

The Microsoft DHCP logs are collected and transported using Project Lasso. Project Lasso is used

to collect and transfer Windows Event logs to the LogLogic Appliance.

By default, the Project Lasso program directory is located at:

C:\Program Files\Lasso

Project Lasso spools log messages if the connection to the Appliance is temporarily lost. By

default, the following directory contains all spooled log messages:

C:\Program Files\Lasso\LassoRepository\Spool

(11)

Enabling the LogLogic Appliance to Capture Log Data

The following sections describe how to enable the LogLogic Appliance to capture Microsoft

DHCP log data.

Configuring the LogLogic Appliance for Data and File Collection

The LogLogic Appliance recognizes Microsoft DHCP operational events in Syslog format via the

Syslog Listener. The Appliance captures Microsoft DHCP audit events using file pull functionality

via a file transfer rule. The deployment method you use to collect Microsoft DHCP file-based data

depends on what events you want to capture.

Microsoft DHCP Data Collection for Operational Events

If you are trying to capture operational event data, you need to use the following deployment

method for file collection:

1. Properly configure Microsoft DHCP to generate operational events (see

Configuring

Microsoft DHCP for Operational Events

on page 10).

2. Properly configure Project Lasso on a remote Host Server (see

Installing and Configuring

Project Lasso

on page 10).

3. On the LogLogic Appliance, make sure that the Microsoft DHCP device was correctly

auto-identified. For more information, see

Automatically Identifying a Microsoft DHCP Device

on

page 12.

Microsoft DHCP File Collection for Audit Events

If you are trying to capture audit event data, you need to use the following deployment method

for file collection:

1. Configure a remote Host Server with file transfer capability to capture log files from the

Microsoft DHCP host machine.

The following procedure explains, at a high-level, how to configure your environment to

capture file-based log messages via SFTP. LogLogic recommends using SFTP for

Windows-based systems, or SCP for Unix-based systems, to securely transfer files to the

LogLogic Appliance from your log source. However, you can use any of the

LogLogic-supported protocols in your environment (i.e., FTP(S), HTTP(S), SCP, etc.).

Note: For more information on each supported protocol, including whether a Public Key Copy is needed and what search methods (i.e., CSV, Wildcard) are available, see the LogLogic

Administration Guide.

a.

Make sure that a destination directory (i.e., log directory) exists and is accessible on the

host machine where Microsoft DHCP is installed.

The destination directory should contain the original log files that Microsoft DHCP

generates.

b.

Transfer the Microsoft DHCP log files to a separate publishing directory on the remote

Host Server.

(12)

Note: LogLogic recommends that you define a clean-up process to handle old log files that accumulate over time.

2. On the LogLogic Appliance, add Microsoft DHCP to the Appliance as a new device. For

more information, see

Adding Microsoft DHCP Device

on page 13.

3. Create a file transfer rule and specify SFTP as the Protocol. For more information, see

Creating File Transfer Rules

on page 14.

IMPORTANT! SCP and SFTP have limitations in their ability to pull a large number of files (100 or more). LogLogic recommends that you compress the files into a single file (such as .tar or tar.gz) before the files are pulled by the LogLogic Appliance.

4. File transfer rules using SFTP as the protocol require a public key copy from the LogLogic

Appliance. You need to copy the Appliance’s public key to the remote Host Server. For more

information on public key copy, see the LogLogic Administration Guide.

Automatically Identifying a Microsoft DHCP Device

IMPORTANT! The Microsoft DHCP device is auto-identified when operational events are captured by Project Lasso. However, you must add the device manually if you are capturing audit events by file pull via file transfer rule. For more information, see Adding Microsoft DHCP Device on page 13.

With the auto-identification feature, the LogLogic Appliance recognizes Microsoft DHCP

operational log messages in Syslog format using Project Lasso. As the Syslog messages come into

the Appliance, they are automatically identified and a new Microsoft DHCP device type is added

to the log source device list. Default values are used for certain properties, such as the device

name.

To enable auto-identification in the LogLogic Appliance:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Administration > System Settings.

The General tab appears.

3. For Auto-identify Log Sources, select Yes.

4. Click Update.

Once the automatically identified device is added, you can edit its properties.

IMPORTANT! Do not change the auto-identified Device Type and Host IP information.

To edit an existing Microsoft DHCP device:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Management > Devices.

The Devices tab appears.

3. Click on an existing Microsoft DHCP device in the list and click Modify Device.

The Modify Device tab appears.

(13)

Adding Microsoft DHCP Device

IMPORTANT! You must add the Microsoft DHCP device manually if you are capturing audit events by file pull via file transfer rule. The device is auto-identified when operational events are captured by Project Lasso. For more information, see Automatically Identifying a Microsoft DHCP Device on page 12.

LogLogic captures Microsoft DHCP audit log files using file pull functionality via file transfer

rule. You must add the server as a new device so LogLogic can properly handle the log file data to

make it available through reports and searching. Once you have successfully added the Microsoft

DHCP device, you must configure file transfer rules for file collection. For more information, see

Configuring the LogLogic Appliance for Data and File Collection

on page 11.

To add Microsoft DHCP as a new device:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Management > Devices.

The Devices tab appears.

3. Click Add New.

The Add Device tab appears.

4. Type in the following information for the device:



Name

—Name for the Microsoft DHCP device



Description

(optional)—Description of the Microsoft DHCP device



Device Type

—Select Microsoft DHCP from the drop-down menu



Host IP

—IP address of the Microsoft DHCP appliance



Enable Data Collection

—Select the Yes radio button

(14)

Figure 2 Adding a Device to the LogLogic Appliance

5. Click Add.

6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes.

After you add the new device, you can configure the LogLogic Appliance by setting up

file transfer rules. For information on configuring the LogLogic Appliance to capture

Microsoft DHCP log messages, see

Configuring the LogLogic Appliance for Data and File

Collection

on page 11.

Creating File Transfer Rules

Note: Creating a file transfer rule is only required if you are capturing Microsoft DHCP audit events.

After you add your Microsoft DHCP device, you can create a file transfer rule for the log files. File

transfer rules enable the LogLogic Appliance to pull files from the host machine or remote Host

Server publishing the Microsoft DHCP log files.

LogLogic supports the following wildcards: * (asterisk), ? (question mark), and [...] (open and

close brackets) using directory queries. If you use wildcards, you must enable directory listing on

your host machine or remote Host Server.

Examples:

file

/foo/file, /bar/*.log

/foo?/bar/.aud, /foo1/file1.tar.gz, /foo1/file2.Z

/foo[2-8]/bar/net.log

(15)

To create a file transfer rule:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Management > Devices.

3. Select the File Transfer Rules tab.

4. Add a rule for the Microsoft DHCP log files you want to capture by completing the

following steps:

a.

From the Device Type drop-down menu, select the machine where Microsoft DHCP is

installed.

b.

From the Device drop-down menu, select the appropriate Microsoft DHCP device.

Note: If you have added only one Microsoft DHCP device, the device name is automatically added.

c.

Click Add Rule then enter the appropriate information for the following required

fields:



Rule Name

—Name of the transfer rule (e.g., Microsoft DHCP log files)



Protocol

—Specify the appropriate protocol (e.g., SFTP, SCP, FTP(S), etc.)

Note: LogLogic recommends using a secure file transfer protocol, such as SFTP for Windows-based devices or SCP for UNIX-based devices. If you are using SFTP or SCP, you must copy the

Appliance’s public key to the machine where the logs are located. For more information, see

Configuring the LogLogic Appliance for Data and File Collection on page 11and the LogLogic

Administration Guide.



User ID

—Specify only if the protocol requires a User ID



Password/Verify Password

—Specify only if required for the User ID



Files

—Full path (after the IP address) to the Host Server where the Microsoft DHCP log

files are located. For example:

/publishing directory/Dhcp/DhcpSrvLog*

To capture all logs in a specific directory specify the asterisk (*) wildcard. For

example:

/publishing directory/Dhcp/.zip*

The server can be the host machine where the device is installed or a remote Host

Server with file transfer functionality. For more information, see

Configuring the

LogLogic Appliance for Data and File Collection

on page 11.



File Format

—Select Microsoft DHCP Audit Log from the drop-down menu



Collection Time

—Specify the time you want to retrieve the log file



Use Advanced Duplication Detection

—Select the Yes radio button if you want the

LogLogic Appliance to check for duplicate data while capturing the Microsoft DHCP logs.



Enable

—Select the Yes radio button to enable the file transfer rule

(16)

Figure 3 Add File Transfer Rule Tab

Verifying the Configuration

The section describes how to verify that the configuration changes made to Microsoft DHCP and

the LogLogic Appliance are applied correctly.

To verify the configuration:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Dashboards > Log Source Status.

The Log Source Status tab appears.

(17)

If the device name (Microsoft DHCP) appears in the list of devices, then the configuration is

correct. If the device does not appear in the Log Source Status tab, check the Microsoft DHCP logs

for events that should have been sent. If events were detected and are still not appearing on the

LogLogic Appliance, verify the Microsoft DHCP configuration, the Project Lasso configuration

(for operational logs), and the LogLogic Appliance configuration.

(18)

Chapter 2 – How LogLogic Supports Microsoft DHCP

This chapter describes LogLogic’s support for Microsoft DHCP. LogLogic enables you to capture

log data to monitor Microsoft DHCP events.

How LogLogic Captures Microsoft DHCP Log Data . . . 18

Supported Microsoft DHCP Log Data . . . 19

LogLogic Real-Time Reports . . . 20

LogLogic Search Filters . . . 20

How LogLogic Captures Microsoft DHCP Log Data

LogLogic’s open source Windows Event Collector, Project Lasso, is used to collect Microsoft

DHCP operational logs stored in Windows System Event Log. The operational logs are converted

into text format by Project Lasso and sent to the Syslog Listener of the LogLogic Appliance via

UDP or TCP.

The LogLogic Appliance uses file pulling to capture Microsoft DHCP audit log messages. By

default, audit logs are stored in text format under the following directory:

Windows\System32\Dhcp

The log files are named as DhcpSrvLog-day of week. LogLogic enables you to capture the log

data in text format from a remote file system using FTP(S), HTTP(S), SCP, etc. Log files unchanged

since the last pull are filtered out from collecting to eliminate duplication. File pulling maintains a

record of log files identified on the database to allow conversion. All log messages are pulled from

the specified path where the converted log files are stored.

Note: LogLogic enables you to collect Microsoft DHCP log messages at a configurable time (e.g., every x minutes, at an hourly interval, daily at a specified time, or weekly at a specified date and time).

(19)

Figure 4 Microsoft DHCP, Project Lasso (Collector Mode), a remote SFTP Host Server, and the LogLogic Appliance Components and Processes

Once the data is captured and parsed, you can generate reports. In addition, you can create alerts

to notify you of issues on Microsoft DHCP. For more information on creating reports and alerts,

see the LogLogic User Guide and LogLogic Online Help.

Note: When a log file is transferred, each file contains a timestamp which consists of a date and time. The timestamp refers to the file creation date and time for a particular message in the file. For a listing of LogLogic supported date and time formats, see the LogLogic Administration Guide.

Supported Microsoft DHCP Log Data

LogLogic enables you to capture Microsoft DHCP audit and operational log data. Microsoft

DHCP audit logs are comma-delimited text files with each log entry representing a single line of

text. For example, an audit log file entry contains the following fields in the order presented:

ID, Date, Time, Description, IP Address, Host Name, MAC Address

Table 2 on page 41 lists the Microsoft DHCP audit events that are supported by the LogLogic

Appliance. Microsoft DHCP related operational events are recorded in the Windows System Event

Log. This includes, by default, major activities that potentially affect the operating system (e.g.,

Microsoft DHCP service startup, shutdown, errors, and change of configuration options). Table 1

on page 28 lists the Microsoft DHCP operational events that are supported by the LogLogic

Appliance.

Note: The LogLogic Appliance captures all messages from the Microsoft DHCP logs, but includes only specific messages for report/alert generation.

(20)

LogLogic Real-Time Reports

LogLogic provides pre-configured Real-Time Reports for Microsoft DHCP log data.

The following Real-Time Reports are available:



DHCP Activity

– Displays events related to all DHCP activity



DHCP Denied Activity

– Displays events related to DHCP requests that were denied



DHCP Granted/Renewed Activity

– Displays events related to DHCP requests that were

granted or renewed

To access LMI 5 Real-Time Reports:

1. In the top navigation pane, click Reports.

2. Click Network Activity.

The following Real-Time Reports are available:



DHCP Activity



DHCP Denied Activity



DHCP Granted/Renewed Activity

You can create custom reports from the existing Real-Time Report templates. For more

information, see the LogLogic User Guide and LogLogic Online Help.

LogLogic Search Filters

LogLogic provides pre-configured Search Filters for Microsoft DHCP log data. Search Filters are

used to filter report data and create alerts.

To access Search Filters:

1. From the navigation menu, select Search.

2. Select Search Filters.

The following Search Filters are available:



Microsoft DHCP: Audit - Change & Configuration Management

– Displays details for the

following activities reported within the DHCP audit logs:



Network Configuration Changes



Privilege Change Status



User Account Changes



Application Configuration Changes



Windows Registry Changes



Microsoft DHCP: Audit - Continuity & Availability Management

– Displays details for

the following activities reported within the DHCP audit logs:

(21)



Microsoft DHCP: Audit - Rogue Server Detection

– Displays details for all activities

related to rogue server detection reported within the DHCP audit logs



Microsoft DHCP: Audit - Security & Threat Management

– Displays details for the

following activities reported within the DHCP audit logs:



IDS Activity



Top Attacking IP Addresses



Top Attacked IP Addresses



Antivirus Protection Status



Microsoft DHCP: Audit - System Health

– Displays details for all activities related to

system health reported within the DHCP audit logs



Microsoft DHCP: Audit Rogue DHCP Server detection

– Displays details for all activities

related to rogue DHCP server detection and shutdown reported within the DHCP audit logs



Microsoft DHCP: Operational - Backup & Restore

– Displays details for all activities

related to backup and restore events reported within the DHCP operational logs



Microsoft DHCP: Operational - Change & Configuration Management

– Displays details

for the following activities reported within the DHCP operational logs:



Network Configuration Changes



Privilege Change Status



User Account Changes



Application Configuration Changes



Windows Registry Changes



Microsoft DHCP: Operational - Configuration Changes

– Displays details for all activities

related to configuration changes reported within the DHCP operational logs



Microsoft DHCP: Operational - Identity & Access Management

– Displays details for the

following activities reported within the DHCP operational logs:



Privilege Use by User



Resource Access



Database Data Access



User Authentication Status



Microsoft DHCP: Operational - Performance & Capacity Management

– Displays details

for the following activities reported within the DHCP operational logs:



System Resource Exhaustion



Network Capacity Use by Application



Database Table Usage

(22)



Microsoft DHCP: Operational - Security & Threat Management

– Displays details for the

following activities reported within the DHCP operational logs:



IDS Activity



Top Attacking IP Addresses



Top Attacked IP Addresses



Antivirus Protection Status



Microsoft DHCP: Operational - Security Events

– Displays details for all security events

reported within the DHCP operational logs



Microsoft DHCP: Operational - Server Start/Stop

– Displays details for all activities related

to server starts or stops reported within the DHCP operational logs



Microsoft DHCP: Operational - System Health

– Displays details for all activities related to

system health reported within the DHCP operational logs



Microsoft DHCP: Operational Continuity & Availability Management

– Displays details

for the following activities reported within the DHCP operational logs:



System Restarts



Backup Status



System Errors

(23)

Chapter 3 – Troubleshooting and FAQ

This chapter contains troubleshooting information regarding the configuration and/or use of log

collection for Microsoft DHCP. It also contains Frequently Asked Questions (FAQ), providing

quick answers to common questions.

Troubleshooting . . . 23

Frequently Asked Questions . . . 25

Troubleshooting

Is your version of Microsoft DHCP supported?

For more information, see

Prerequisites

on page 8.

Is your LogLogic Appliance running Release 5.1 or later?

If you are running an release prior to 5.1, you will require an upgrade. Contact LogLogic Support

for more information.

Are you running Project Lasso 4.0 or later?

If you are running an release prior to 4.0, you might require an upgrade. Contact LogLogic

Support for more information.

Is the appropriate Log Source Package (LSP) installed properly?

Check to make sure that the LSP that is installed includes support for Microsoft DHCP. Also make

sure that the package was installed successfully. For more information on LSP installation

procedures, see the LogLogic Log Source Package Release Notes.

If Microsoft DHCP operational events are not appearing on the LogLogic

Appliance...

You can verify that your log files are received by viewing the File Transfer History. You can view

the history from the Administration > File Transfer History tab.

Make sure that you have properly installed and configured Project Lasso, and the no errors are

present in Lasso’s error log (LassoTrace.log). For more information, see the LogLogic Windows

Event Collector Guide (Project Lasso).

(24)

If Operational events are not displaying on the LogLogic Appliance even after



configuring Microsoft DHCP and Project Lasso correctly...

Microsoft DHCP sends the logs, via UDP or TCP in Syslog format, to the LogLogic Appliance.

Make sure that the UDP or TCP port is enabled on the Microsoft DHCP machine. For more

information on supported protocols and ports, see the LogLogic Administration Guide and the

LogLogic Windows Event Collector Guide (Project Lasso).

If Microsoft DHCP audit events are not appearing on the LogLogic Appliance...

You need to verify if the LogLogic Appliance is receiving the logs correctly. For more information,

see

Problems Retrieving Log Files Using Configured File Transfer Rules

on page 24.

Problems Retrieving Log Files Using Configured File Transfer

Rules

If you are having general problems retrieving audit log files using your configured file transfer

rules, you might need to verify that your LogLogic Appliance is receiving Microsoft DHCP audit

logs as scheduled.

To verify that the LogLogic Appliance is receiving logs correctly:

1. Log in to the LogLogic Appliance managing the Microsoft DHCP log data.

2. From the navigation menu, select Management > Devices.

The Devices tab appears.

3. Select the File Transfer Rules tab.

The File Transfer Rules tab appears with a table displaying all of your file transfer rules.

4. Find the file-based log data entries.

5. Under the Last Successful Retrieval column, watch for a successful transfer as defined by

the Collection Interval mark.

6. Under the Last Attempted Retrieval column, verify that there are no failures.

7. If the Last Attempted Retrieval value is incrementing but the Last Successful Retrieval

value is not changing, then the LogLogic Appliance is not receiving logs correctly. If this

problem occurs, then complete the following steps:

a.

Verify the path to your log files. If necessary, make appropriate changes.

b.

Verify your user name and password. If necessary, make appropriate changes.

Alternatively, you can run an Index Search against Microsoft DHCP as follows to check log

collection:

1. From the navigation menu, select Search > Index Search.

2. Specify the LogLogic Appliance as the Device Type and choose the appropriate Source

Device

.

3. Enter your Boolean Search query. For example:



To return file collector-related logs, type engine_filecollector

(25)

Frequently Asked Questions

How does the LogLogic Appliance collect logs from Microsoft DHCP?

For operational log collection, an open source Windows Event Collector, Project Lasso, is required

in order to read the .evt files from the Windows machine, convert them into text format, and

forward them via Syslog using UDP or TCP to the LogLogic Appliance. The LogLogic Appliance

functions as the Syslog server. For more information, see

How LogLogic Captures Microsoft DHCP

Log Data

on page 18.

What access permissions are required?

To configure logging on Microsoft DHCP, the Windows user must have administrative

permissions.

How do I configure logging on Microsoft DHCP?

(26)

(27)

Appendix A – Event Reference

This appendix lists the LogLogic-supported Microsoft DHCP events. The Microsoft DHCP event

table identifies events that can be analyzed through LogLogic reports. All sample audit log

messages were captured by LogLogic’s file pull functionality. All sample operational log messages

were captured by LogLogic’s Syslog Listener.

LogLogic Support for Microsoft DHCP Events

The following list describes the contents of each of the columns in the tables below.



Event ID

– Microsoft DHCP event identifier



Agile Reports/Search

– Defines if the Microsoft DHCP event is available through the

LogLogic Agile Report Engine or through the search capabilities. If the event is available

through the Agile Report Engine, then you can use LogLogic’s Real-Time Reports and

Summary Reports to analyze and display the captured log data. Otherwise, all other

supported events that are captured by the LogLogic Appliance can be viewed by performing a

search for the log data.



Title/Comments

– Description of the event



Event Category

– Category of events such as Audit or Operational



Event Type

– Type of event such as Success, Failure, etc.



Sample Log Message

– Sample Microsoft DHCP log messages in text format

(28)

Table 1 Microsoft DHCP Operational Events Event ID Agile Reports /Search Title/Comments Event Category Event Type

Sample Log Message

1 1008 Search The DHCP service is

shutting down due to the following error: %1

Operational Error The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

2 1016 Search The DHCP service

encountered the following error when backing up the database: %1

Operational Error <13>Feb 20 12:15:47 10.116.28.200 MSWinEventLog 0 System 1339 Tue Feb 20 10:01:30 2007 1016 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 2d 4e 00 00 -N.. The DHCP service encountered the following error when backing up the database: An error occurred while accessing the DHCP database. Look at the DHCP server event log for more information on this error. 845

3 1018 Search The DHCP service failed to

restore the database. The following error occurred: %1

Operational Failure The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

restore the DHCP registry configuration. The following error occurred: %1

5 1020 Search Scope, %1, is %2 percent

full with only %3 IP addresses remaining.

Operational The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

6 1023 Search The DHCP service will now

terminate because the existing database needs conversion to Windows 2000 format. The conversion via the jetconv process, has initiated. Do not reboot or stop the jetconv process. The conversion may take up to 10 minutes depending on the size of the database. Terminate DHCP now by clicking OK. This is required for the database conversion to succeed.

NOTE: The DHCP service will be restarted automatically when the conversion is completed. To check conversion status, look at the Application event log for the jetconv process.

Operational <13>Feb 13 12:30:52 10.116.28.102 MSWinEventLog 0 System 10264 Thu Feb 08 10:13:43 2007 1023 DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: 00 00 00 00 .... The DHCP service will now terminate because the existing database needs conversion to Windows 2000 format. The conversion via the jetconv process, has initiated. Do not reboot or stop the jetconv process. The conversion may take up to 10 minutes depending on the size of the database. Terminate DHCP now by clicking OK. This is required for the database conversion to succeed.

(29)

7 1027 Search The audit log file cannot be appended.

Operational <13>Feb 13 12:30:52 10.116.28.102 MSWinEventLog 0 System 10264 Thu Feb 08 10:13:43 2007 1027 DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: 00 00 00 00 .... The audit log file cannot be appended.. 10264

8 1030 Search The audit log file could not

be backed up. The following error occurred: %1

successfully restored the database.

Operational

Success

<13>Feb 13 12:30:52 10.116.28.102 MSWinEventLog 0 System 10264 Thu Feb 08 10:13:43 2007 1040 DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: 00 00 00 00 .... The DHCP service successfully restored the database. 10264

10 1041 Search The DHCP service is not

servicing any clients because none of the active network interfaces have statically configured IP addresses, or there are no active interfaces.

Operational Error <13>Feb 13 12:30:52 10.116.28.102 MSWinEventLog 0 System 10284 Thu Feb 08 11:04:57 2007 1041 DhcpServer Unknown User N/A Error LOGLOGIC-SRV1 None 0000: 00 00 00 00 .... The DHCP service is not servicing any clients because none of the active network interfaces have statically configured IP addresses, or there are no active interfaces. 10284

11 1042 Search The DHCP/BINL service

running on this machine has detected a server on the network. If the server does not belong to any domain, the domain is listed as empty. The IP address of the server is listed in

parentheses.%1

Operational <13>Feb 13 12:30:52 10.116.28.102 MSWinEventLog 0 System 10264 Thu Feb 08 10:13:43 2007 1040 DhcpServer Unknown User N/A Information LOGLOGIC-SRV1 None 0000: 00 00 00 00 .... The DHCP/BINL service running on this machine has detected a server on the network. If the server does not belong to any domain, the domain is listed as empty. The IP address of the server is listed in parentheses {10.116.28.94}. 10264

12 1045 Search The DHCP/BINL service on

the local machine has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine belongs to a workgroup and has encountered another DHCP Server (belonging to a Windows Administrative Domain) servicing the same network. An unexpected network error occurred.

Operational Failure <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 1045 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP/BINL service on the local machine has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine belongs to a workgroup and has encountered another DHCP Server (belonging to a Windows Administrative Domain) servicing the same network. An unexpected network error occurred. 381

Event ID Agile Reports /Search Title/Comments Event Category Event Type

(30)

13 1046 Search The DHCP/BINL service on the local machine, belonging to the Windows

Administrative domain %2, has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine is part of a directory service enterprise and is not authorized in the same domain. (See help on the DHCP Service Management Tool for additional information). This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized. Some unexpected network error occurred.

Operational Failure <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 1046 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain loglog.com, has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine is part of a directory service enterprise and is not authorized in the same domain. (See help on the DHCP Service Management Tool for additional information). This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized. Some unexpected network error occurred. 381

14 1051 Search The DHCP/BINL service has

determined that it is not authorized to service clients on this network for the Windows domain: %2. All DHCP services that belong to a directory service enterprise must be authorized in the directory service to service clients. (See help on the DHCP Service Management Tool for authorizing a DHCP server in the directory service).

Operational Failure <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 1051 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP/BINL service has determined that it is not authorized to service clients on this network for the Windows domain: DNSDHCP.com. All DHCP services that belong to a directory service enterprise must be authorized in the directory service to service clients. 381

this workgroup server has encountered another server with IP Address, %1, belonging to the domain %2.

Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 1052 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP/BINL service on this workgroup server has encountered another server with IP Address, 10.114.19.29, belonging to the domain DNSDHCP.com. 381

this computer running Windows Server 2003, 2008 for Small Business Server has encountered another server on this network with IP Address, %1, belonging to the domain: %2.

Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 1053 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP/BINL service on this computer running Windows Server 2003, 2008 for Small Business Server has encountered another server on this network with IP Address, 10.116.24,34, belonging to the domain: DNSDHCP.com. 381

(31)

17 1054 Search The DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons.

Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 1054 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons. 381

18 1055 Search The DHCP service was

unable to impersonate the credentials necessary for DNS registrations: %1. The local system credentials is being used.

19 1056 Search The DHCP service has

detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.

Operational Error <13>Feb 13 12:30:52 10.116.28.102 MSWinEventLog 0 System 10228 Thu Sep 07 12:07:15 2006 1056 DhcpServer Unknown User N/A Warning LOGLOGIC-SRV1 None 0000: 00 00 00 00 .... The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool. 10228

20 1066 Search The DHCP/BINL service is

not authorized in the directory service domain "%2" (Server IP Address %1)

Operational Failure <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 1066 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP/BINL service is not authorized in the directory service domain "DNSDHCP.com" (Server IP Address 10.116.28.27). 381

21 1067 Search The DHCP/BINL service is

authorized in the directory service domain "%2" (Server IP Address %1)

Operational

Success

<13>Feb 13 12:30:52 10.116.28.102 MSWinEventLog 0 System 10228 Thu Sep 07 12:07:15 2006 1067 DhcpServer Unknown User N/A Warning LOGLOGIC-SRV1 None 0000: 00 00 00 00 .... The DHCP/BINL service is authorized in the directory service domain "DNSDHCP.com" (Server IP Address 10.116.28.27). 10228

22 1068 Search The DHCP/BINL service has

not determined if it is authorized in directory domain "%2" (Server IP Address %1)

Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 1068 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP/BINL service has not determined if it is authorized in directory domain "DNSDHCP.com" (Server IP Address 10.116.28.27). 381

23 1075 Search Scope Full%0 Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System

1099 Fri Feb 16 17:25:23 2007 20011 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... Scope Full. 381 Event ID Agile Reports /Search Title/Comments Event Category Event Type

(32)

24 1076 Search Started%0 Operational The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

25 1077 Search Stopped%0 Operational The log format for this event is supported by the LogLogic

Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

26 1080 Search BAD_ADDRESS%0 Operational The log format for this event is supported by the LogLogic

27 1081 Search This address is already in

use%0 Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 1081 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... This address is already in use 10.116.28.77 381

28 1086 Search %%d leases expired and

%%d leases deleted%0 Operational The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. Event ID Agile Reports /Search Title/Comments Event Category Event Type

(33)

29 1088 Search Microsoft DHCP Service Activity Log

Event ID Meaning 00 The log was started. 01 The log was stopped. 02 The log was temporarily paused due to low disk space. 10 A new IP address was leased to a client. 11 A lease was renewed by a client.

12 A lease was released by a client.

13 An IP address was found to be in use on the network.

14 A lease request could not be satisfied because the scope's address pool was exhausted.

15 A lease was denied. 16 A lease was deleted. 17 A lease was expired. 20 A BOOTP address was leased to a client. 21 A dynamic BOOTP address was leased to a client.

22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. 23 A BOOTP IP address was deleted after checking to see it was

not in use. 24 IP address cleanup operation has began. 25 IP address cleanup statistics.

30 DNS update request to the named DNS server 31 DNS update failed 32 DNS update successful

50+ Codes above 50 are used for Rogue Server Detection information. ID,Date,Time,Description,IP Address,Host Name,MAC Address

Operational <13>Feb 13 12:30:52 10.116.28.102 MSWinEventLog 0 System 10228 Thu Sep 07 12:07:15 2006 1062 DhcpServer Unknown User N/A Warning LOGLOGIC-SRV1 None 0000: 00 00 00 00 .... Microsoft DHCP Service Activity Log

Event ID Meaning 00 The log was started. 01 The log was stopped.

02 The log was temporarily paused due to low disk space. 10 A new IP address was leased to a client.

11 A lease was renewed by a client. 12 A lease was released by a client.

13 An IP address was found to be in use on the network. 14 A lease request could not be satisfied because the scope's address pool was exhausted.

15 A lease was denied. 16 A lease was deleted. 17 A lease was expired.

20 A BOOTP address was leased to a client. 21 A dynamic BOOTP address was leased to a client. 22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.

23 A BOOTP IP address was deleted after checking to see it was not in use.

24 IP address cleanup operation has began. 25 IP address cleanup statistics.

30 DNS update request to the named DNS server 31 DNS update failed

32 DNS update successful

50+ Codes above 50 are used for Rogue Server Detection information. ID,Date,Time,Description,IP Address,Host Name,MAC Address. 10228

30 1089 Search BOOTP Range Full%0 Operational Success The log format for this event is supported by the LogLogic

Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. Event ID Agile Reports /Search Title/Comments Event Category Event Type

(34)

31 1099 Search Authorization succeeded%0 Operational The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

32 1100 Search Server Upgraded%0 Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System

1099 Fri Feb 16 17:25:23 2007 20011 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... Server Upgraded . 381

33 1101 Search Cached authorization%0 Operational Failure The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

34 1102 Search Authorization failed%0 Operational Success <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 20011 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... Authorization failed. 381

35 1103 Search Authorized(servicing)%0 Operational Failure <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 1105 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... Authorized(servicing) server1. 381

36 1104 Search Authorization failure,

stopped servicing%0

Operational The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation.

37 1107 Search Network failure%0 Operational The log format for this event is supported by the LogLogic

38 20011 Search The specified address is not

available.

Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 20011 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The specified address is not available. 381

39 20012 Search The specified IP address

range is full.

Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 20012 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The specified IP address range is full. 381

40 20015 Search The DHCP server received a

message that is not valid.

Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 20015 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP server received a message that is not valid. 381

(35)

41 20016 Search The DHCP server received a message from a client that is not valid.

Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 20016 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP server received a message from a client that is not valid. 381

42 20017 Search The DHCP server service is

paused.

Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 20017 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP server service is paused. 381

43 20034 Search The DHCP service received

a request for a valid IP address that is not administered by this server.

Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 20017 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP service received a request for a valid IP address that is not administered by this server. 381

44 20035 Search The DHCP Server failed to

receive a notification of interface list changes. Some of the interfaces will not be enabled in the DHCP service.

Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 20035 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP Server failed to receive a notification of interface list changes. Some of the interfaces will not be enabled in the DHCP service. 381

45 20037 Search The DHCP Server is not

servicing any clients on the network because it could not determine if it is authorized to run. This might be due to network problems or insufficient resources.

Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 20037 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP Server is not servicing any clients on the network because it could not determine if it is authorized to run. This might be due to network problems or insufficient resources. 381

shutting down because another DHCP server  with the IP address %1 is active on the network.

Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 20036 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP service is shutting down because another DHCP server with the IP address 10.116.28.97 is active on the network. 381

47 20040 Search The DHCP service is unable

to contact the directory service for domain %1. The DHCP service will continue to attempt to contact the directory service. During this time, no clients on the network will be serviced.

Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 20040 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP service is unable to contact the directory service for domain DNSDHCP.com. The DHCP service will continue to attempt to contact the directory service. During this time, no clients on the network will be serviced. 381

48 20041 Search The DHCP service is not

servicing any clients on the network because its authorization information conflicts with another DHCP server whose IP address is %1 and is active on domain %2.

Operational Error <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 20041 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP service is not servicing any clients on the network because its authorization information conflicts with another DHCP server whose IP address is 10.116.28.77 and is active on domain DNSDHCP.com. 381 Event ID Agile Reports /Search Title/Comments Event Category Event Type

(36)

49 20042 Search The DHCP service is ignoring a request from another DHCP service because it is on a different directory service enterprise (Directory Service Enterprise root = %1)

Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 20042 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The DHCP service is ignoring a request from another DHCP service because it is on a different directory service enterprise (Directory Service Enterprise root = server1). 381

50 20050 Search The network has changed.

Retry this operation after checking for the network changes. Network changes may be caused by interfaces that are new or no longer valid, or by IP addresses that are new or no longer valid.

Operational <13>Feb 16 17:28:16 10.116.28.200 MSWinEventLog 0 System 1099 Fri Feb 16 17:25:23 2007 20050 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 00 00 00 00 .... The network has changed. Retry this operation after checking for the network changes. Network changes may be caused by interfaces that are new or no longer valid, or by IP addresses that are new or no longer valid. 381

shutting down due to the following error: %1

encountered the following error when backing up the database: %1

Operational Error <13>Feb 20 12:15:47 10.116.28.200 MSWinEventLog 0 System 1339 Tue Feb 20 10:01:30 2007 1016 DhcpServer Unknown User N/A Error LAB-2003-200 None 0000: 2d 4e 00 00 -N.. The DHCP service encountered the following error when backing up the database: An error occurred while accessing the DHCP database. Look at the DHCP server event log for more information on this error. 845

restore the database. The following error occurred: %1

restore the DHCP registry configuration. The following error occurred: %1

55 1020 Search Scope, %1, is %2 percent

full with only %3 IP addresses remaining.

Operational The log format for this event is supported by the LogLogic Appliance, but the event has not been fully validated by LogLogic. Therefore no sample log message is available. For more information on this event, see the Microsoft Product Documentation. Event ID Agile Reports /Search Title/Comments Event Category Event Type

LogLogic Microsoft Dynamic Host Configuration Protocol (DHCP) Log Configuration Guide