RSA Admin

Problems with Microsoft 2003 DHCP logs

Discussion created by RSA Admin Employee on Sep 11, 2008
Latest reply on Oct 14, 2008 by RSA Admin

I am having issues getting Microsoft DHCP logs reliably.  It worked when the enVision was first set up but I am no longer getting any data.  I suspect this may have something to do with the way that Microsoft DHCP stores its logs.  Instead of a single log file that keeps getting appended with new data, or multiple log files that are created for each day (ex: YYYYMMDD.log format) it uses 7 logs for each day of the week, i.e.

 

DhcpSrvLog-Mon.log
DhcpSrvLog-Tue.log
DhcpSrvLog-Wed.log
DhcpSrvLog-Thu.log
DhcpSrvLog-Fri.log
DhcpSrvLog-Sat.log
DhcpSrvLog-Sun.log

 

Each of those log files get overwritten as that day comes back.  So for example on September 1st the DhcpSrvLog-Mon.log log may get 1,000 rows of data.  1 week later it gets overwritten with perhaps only 800 rows of data, and so on.  Each of the log files also have approx 30 rows of headers (explaining the codes used in the log) that remain constant.

 

The SFTP Agent used to send the logs keeps track of the position for each of the logs (DhcpSrvLog-Mon.log through DhcpSrvLog-Sun.log).  After about 1 week’s worth it no longer sends anything to the RSA.

Below is the configuration of the SFTP agent.


dir0=C:\WINDOWS\System32\dhcp\
dir0.filespec=DhcpSrvLog*
dir0.interval=60
dir0.has_header=true
dir0.compression=true
dir0.enabled=true
dir0.ftp=[envision-IP],[nic_user],publickey,MICROSOFT_DHCP_2003_[IP]


By looking at the events from the NIC System I can confirm that the File Reader is indeed running.

Outcomes