Getting logs from Microsoft DHCP and DNS Servers

Microsoft DHCP and DNS servers use similar technology to produce audit logs. In both cases, when logging is enabled, the services log their activity to a configured location on the file system. In order to read those logs in InsightIDR, we provide file and directory watchers to automatically read in any changes to these log files. Share the folder that contains the log files in order to enable the collector to read these files over the network. This folder needs to be shared with a read-only credential that will also be provided to the DHCP and DNS event source configurations.

The Dynamic Host Configuration Protocol (DHCP) servers assign addresses to network devices. InsightIDR uses DHCP information to tie users to their various assets and ever-changing IP addresses. This event source is critical for asset-to-IP correlation.

The Microsoft Domain Name Server (DNS) names resources that are connected to the Internet or a private network. It translates domain names, for example, www.mywebsite.com to its numerical Internet Protocol (IP) address, for example, 172.16.254.1. InsightIDR can ingest these logs for further context around outbound traffic and network activity. DNS adds visibility, along with firewall, Web proxy, and other outbound traffic-based event sources, so that InsightIDR can identify cloud services used by your organization. DNS logs are also available for detailed review in investigations.

Perform the following steps on the server side for the InsightIDR collector to incorporate logs from the DHCP and DNS:

  1. Create a destination folder on the hard drive where the logs reside.
  2. Share that folder with a read-only credential that is also entered in InsightIDR.
  3. Enable logging onto the service and direct those logons to the newly created folder.

DHCP

Rapid7 recommends that the folder for DHCP logging resides on the root (C) drive of the server that hosts the DHCP, for example, C:\dhcplogs.

Begin by creating the log file folder and sharing it:

  1. Create a folder for the DHCP logs.  C:\dhcplogs is the recommended directory for storing DHCP logs.
  2. Right click the folder and select Properties from the drop-down menu.  In the Properties dialog, click the Sharing tab and then click the Advanced Sharing button.


  1. In the Advanced Sharing dialog, select Share this folder and then click the Permissions button.


  2. In the Share Permissions dialog, ckick the Add… button and provide the credential that accesses this file. Include the user name and password for this credential in InsightIDR when the DNS event source is set up.

  3. Launch the DHCP console.
  4. Right click IPv4, and select Properties from the drop-down menu.

  1. Click the Advanced tab. In the Audit log file path field, change the destination folder to the folder that stores the DHCP logs. 

It is strongly recommended that you select a folder other than the default folder that is used as the log folder. If you use the default folder, other DHCP binary files will also be present in this folder causing the InsightIDR DHCP event source to produce warnings when it tries to read these files. This may potentially disrupt the Microsoft DHCP service.

On the InsightIDR side, you can configure the DHCP event source to read the shared folder via UNC notation and by providing the credential that was used when setting up the shared folder. UNC notation is Microsoft's Universal Naming Convention which is a common syntax used to describe the location of a network resource. A file filter of DhcpSrvLog*.log should be used to ensure that only the DHCP log files are read by InsightIDR.

DNS

  1. Create a folder for the DNS logs.  C:\dnslogsis the recommended directory for storing DNS logs.

Note:  Rapid7 recommends that the folder for DNS logging reside on the root (C) drive of the server that hosts the DNS, for example, C:\dnslogs.

  1. Right click the folder and select Properties from the drop-down menu.  In the Properties dialog, click the Sharing tab and then click the Advanced Sharing button.

  1. In the Advanced Sharing dialog, select Share this folder and then click the Permissions button.

  1. In the Share Permissions dialog, click the Add… button and provide the credential that accesses this file. Include the user name and password for this credential in InsightIDR when the DNS event source is set up.

  1. To enable logging onto the DNS server, right click the server’s name in the DNS Manager and select Properties from the drop-down menu.

  1. Click the Debug Logging tab, select Log packets for debugging, and enter the destination file name (the shared directory that you previously created in the File path and name field.) The remaining check boxes can keep the default values.

On the InsightIDR side, you can configure the DNS event source to read the shared folder via UNC notation and by providing the credential that was used when setting up the shared folder. UNC notation is Microsoft's Universal Naming Convention which is a common syntax used to describe the location of a network resource.

Make sure the file path includes the filename for the tail file as in the sample image. Unlike DHCP, just providing the directory path for the log is not sufficient for the DNS file configuration.

Troubleshooting issues with configuring DHCP or DNS sources

If the DHCP or DNS event sources experience an error, the event source icon will turn to a yellow warning or red failure. Moving the mouse over the icon will reveal the details of the error. Typical errors of this sort are failure to connect to the server, bad credentials, or failure to find the file or folder configured in the event source.

Sometimes the DHCP and DNS event sources might not be reading any logs even if they don't show a warning or error. In this situation, try the following tests.

  1. Can you connect to the DHCP or DNS server file share when you log on to the machine running the InsightIDR collector?
  2. Is there a typo in the file pattern in the DHCP configuration? If the file pattern is wrong, none of the files in the directory will match.
  3. Has srv.sys been set to start on demand on the server? Srv.sys should be set to start on demand. For more information, please read Srv.sys.