How can I monitor the DHCP log file?
The DHCP service logs information to a text file that can be monitored by Operations and Security Manager. Typical events and how they look in the log file is shown below:
Event ID and Meaning:
A typical log file looks like this:
00 - The log was started.
01 - The log was stopped.
02 - The log was temporarily paused due to low disk space.
10 - A new IP address was leased to a client.
11 - A lease was renewed by a client.
12 - A lease was released by a client.
13 - An IP address was found to be in use on the network.
14 - A lease request could not be satisfied because the scope's address pool was exhausted.
15 - A lease was denied.
16 - A lease was deleted.
17 - A lease was expired.
20 - A BOOTP address was leased to a client.
21 - A dynamic BOOTP address was leased to a client.
22 - A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
23 - A BOOTP IP address was deleted after checking to see it was not in use.
50+ - Codes above 50 are used for Rogue Server Detection information.
The basic steps to monitoring any text application log are shown below. Use the online Help for more detailed assistance in creating a data provider and a processing rule group with collection and alerting rules.
- Create a new data provider for an Application log. Typically, the DCHP logs are saved in C: \ WINNT \ System32 \ DHCP on DHCP servers. The actual location varies depending on where the Windows NT or Windows 2000 is installed. When creating a provider, select the Generic: Single Line Log format. The DHCP log file format is DhcpSrvLog.
- Edit an existing or create a new Processing Rule Group (recommended) associated with the DHCP servers.