How to Monitor the DHCP Log File (298367)

MORE INFORMATION

The DHCP service logs information to a text file that MOM can monitor.

Monitoring a DHCP Log File

The following steps are the basic steps for monitoring any text application log. Refer to the Help files for more detailed information about creating a data provider and a Processing Rule Group that has rules for collection and for alerts.

1. Create a new data provider for an application log, and specify the Generic: Single Line Log format. The DHCP logfile format is DhcpSrvLog.*.
   
   Typically, the DHCP logs are saved in the C:\WINNT\System32\DHCP folder on DHCP servers. The actual location depends on where Microsoft Windows NT or Microsoft Windows 2000 is installed.
2. Create a new Processing Rule Group (PRG) (recommended), or plan to modify an existing PRG that is associated with the DHCP servers.
3. Create a collection rule for the log file. When you are defining the collection criteria, click Advanced, click Parameter 4 in the Field list, and specify Matches Regular Expression as the value of the field. For example, to monitor only the event ID range of 10 to 13, enter the following regular expression statement in the Value box:

   ^(1[0-3])

4. Verify that collection is occurring by viewing events that are collected in the Monitor|All Other Events view.
5. After you verify that you are collecting the specified events from the DHCP log file, create event- or alert-processing rules for responding to these events. Responses can include paging someone, sending e-mail, spawning a batch file, or sending a trap.

Understanding DHCP Event IDs

This is what typical DHCP event IDs indicate when they appear in the log file:

   Event ID    Meaning
   -------------------
   00          The log was started.
   01          The log was stopped.
   02          The log was temporarily paused due to low disk space.
   10          A new IP address was leased to a client.
   11          A lease was renewed by a client.
   12          A lease was released by a client.
   13          An IP address was found to be in use on the network.
   14          A lease request could not be satisfied because the scope's address pool was exhausted.
   15          A lease was denied.
   16          A lease was deleted.
   17          A lease was expired.
   20          A BOOTP address was leased to a client.
   21          A dynamic BOOTP address was leased to a client.
   22          A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
   23          A BOOTP IP address was deleted after checking to see that it was not in use.
   50+         Codes above 50 are used for Rogue Server Detection information.
				

This is how typical DHCP events appear in the log file:

ID	Date	Time	Description	IP Address	Host Name	Mac Address
11	8/24/00	00:00:58	Renew	xxx.xxx.xx.xxx	Acme.domain.com	00xxxxxxxxxx
11	8/24/00	00:03:28	Renew	xxx.xxx.xx.xxx	Acme.domain.com	00xxxxxxxxxx
11	8/24/00	00:05:58	Renew	xxx.xxx.xx.xxx	Acme.domain.com	00xxxxxxxxxx

Managing Event Collection

Note that although the Description field of each DHCP event reads like an event description from a Windows NT event log, all of the text that is produced from a DHCP log file has to be parsed, and it has different parameters. For example, in the preceding example of a log file, the event text "Renew" is actually Parameter 4 and not Description.

To view the parameters for events that are produced from a log file, expand Microsoft Management Console, expand Monitor, and then click All Other Events. Double-click a logfile event, and then click the Parameters tab in the event's properties dialog box.

It is important to collect this information and edit your collection rules to include it. If you do not specify any criteria (Matched or Advanced), all of the DHCP application event log entries are collected. Because application log monitoring is single-line logging, each line in the DHCP log file becomes a distinct Windows NT event in the Windows NT application log, generating a large number of undesired events.