Microsoft DHCP Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

DHCP is a network protocol used to assign IP addresses and other network configuration parameters dynamically to devices on a network. Microsoft provides DHCP server software as a component of its Windows Server operating system. The Microsoft DHCP server manages the automatic assignment of IP addresses to client devices on a network, reducing the need for manual configuration and helping to ensure a consistent and correct IP addressing scheme. This technology pack processes Microsoft DHCP server audit log files collected with the Filebeat agent, providing normalization and enrichment of DHCP lease and service lifecycle events.

Supported Versions

  • Windows Server 2016

  • Windows Server 2019

  • Windows Server 2022

  • Windows Server 2025

Requirements

  • Windows DHCP Server.

  • Graylog Server with a valid Enterprise license, running Graylog version 4.3 or later.

  • Filebeat agent configured to collect DHCP audit logs and forward them to a Graylog Beats input.

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Windows Event Log Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Windows Event Log Messages"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

The DHCP audit log is stored in C:\Windows\System32\DHCP. A log file is created for each day of the week. Filebeat is used to collect these files and forward them to a Graylog Beats input.

Create a Beats Input in Graylog

  1. In Graylog, navigate to System > Inputs and launch a Beats input.

  2. Configure the desired port number, then save and start the input.

Configure Filebeat

Edit the Filebeat configuration file (filebeat.yml) to collect DHCP logs. The fields section is required so Graylog routes logs to the correct processing pipeline.

  1. Set the paths entry to C:\Windows\System32\dhcp\* to collect all daily log files.

  2. Add event_source_product: microsoft_dhcp under fields with fields_under_root: true.

  3. Configure the output.logstash section to point to your Graylog server IP and Beats input port.

  4. Start Filebeat: Start-Service filebeat

Log Format Example

10,01/27/23,12:44:33,Assign,192.168.1.10,DESKTOP-P423Q1J,C025A54DB363,,4092471859,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0 11,01/27/23,14:38:40,Renew,192.168.1.11,DESKTOP-P423Q1J,C025A54DB363,,2272135476,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0 12,01/30/23,15:27:28,Release,192.168.1.11,DESKTOP-P423Q1J,C025A54DB363,,3451374721,0,,,,,,,,,0 00,11/18/22,12:20:06,Started,,,,,0,6,,,,,,,,,0 01,11/18/22,12:20:06,Stopped,,,,,0,6,,,,,,,,,0 55,01/30/23,12:04:08,Authorized(servicing),,,,,0,6,,,,,,,,,0 56,11/18/22,12:20:06,Authorization failure, stopped servicing,,,,,0,6,,,,,,,,,0 15,01/30/23,16:58:03,NACK,172.16.14.67,,F8B156BAB90C,,0,6,,,,,,,,,0 13,01/27/23,12:44:36,Conflict,192.168.1.10,BAD_ADDRESS,,,0,6,,,,,,,,,0

What is Provided

  • Parsing rules to normalize and enrich Microsoft DHCP server audit log messages.

  • GIM categorization for DHCP lease events, service lifecycle events, and DHCP error conditions.

  • Field extraction for all standard DHCP audit log columns including client IP, hostname, MAC address, transaction ID, and vendor class information.

Events Processed by This Technology Pack

The Microsoft DHCP content pack supports parsing and GIM categorization for the following event types:

GIM Categorization

GIM categorization is provided for the following messages:

Message Type gim_event_type_code gim_event_category gim_event_class gim_event_subcategory gim_event_type
Service started (event ID 00) / Authorized servicing (event ID 55) 210000 service endpoint service.start service started
Service stopped (event ID 01) / Stopped servicing (event ID 56) 210100 service endpoint service.stop service stopped
IP address assigned to client (event ID 10) 290300 dhcp protocol dhcp.acknowledgement dhcp acknowledgement
IP address lease renewed by client (event ID 11) 290300 dhcp protocol dhcp.acknowledgement dhcp acknowledgement
IP address released by client (event ID 12) 299999 dhcp protocol dhcp.default dhcp default event
IP address conflict detected (event ID 13) 299999 dhcp protocol dhcp.default dhcp default event
DHCP scope address pool exhausted (event ID 14) 299999 dhcp protocol dhcp.default dhcp default event
DHCP lease request denied / NACK (event ID 15) 299999 dhcp protocol dhcp.default dhcp default event
Lease deleted from database (event ID 16) 299999 dhcp protocol dhcp.default dhcp default event
All other audit log entries (audit log paused / DNS updates / cleanup / informational) 000000 message message.log_message message

Fields Extracted by This Pack

Event IDs

Event IDs supported with parsing and GIM categorization.

Event ID Description GIM Category
00 The DHCP audit log was started (service start) service.start (210000)
01 The DHCP audit log was stopped (service stop) service.stop (210100)
02 The audit log was temporarily paused due to low disk space message (000000)
10 A new IP address was leased to a client dhcp.acknowledgement (290300)
11 A lease was renewed by a client dhcp.acknowledgement (290300)
12 A lease was released by a client dhcp.default (299999)
13 An IP address was found to be in use on the network (conflict) dhcp.default (299999)
14 A lease request could not be satisfied — scope address pool exhausted dhcp.default (299999)
15 A lease was denied (DHCPNAK sent to client) dhcp.default (299999)
16 A lease was deleted from the database dhcp.default (299999)
17 A lease expired and DNS records have not been deleted message (000000)
18 A lease expired and DNS records were deleted message (000000)
20 A BOOTP address was leased to a client message (000000)
24 IP address cleanup operation has begun message (000000)
25 IP address cleanup statistics message (000000)
30 DNS dynamic update request sent to DNS server message (000000)
31 DNS dynamic update failed message (000000)
32 DNS dynamic update successful message (000000)
55 DHCP server authorized in AD DS and actively servicing clients service.start (210000)
56 DHCP server stopped servicing clients (authorization failure or revocation) service.stop (210100)
61 Server found that belongs to DS domain message (000000)
64 No static IP address bound to DHCP server message (000000)

Parsed Fields

Fields extracted from all Microsoft DHCP audit log messages.

Field Name Description
event_id Numeric DHCP audit log event ID (e.g. 10 = Assign / 11 = Renew / 12 = Release)
vendor_event_description Human-readable event description from the DHCP audit log (e.g. Assign / Renew / Release / Started)
source_ip IP address of the DHCP client involved in the event
source_hostname Hostname of the DHCP client as recorded by the server
source_mac MAC address of the DHCP client (format: hex without delimiters e.g. C025A54DB363)
user_name Username associated with the client request (if present)
vendor_transaction_id DHCP transaction ID for the lease operation
vendor_qresult Query result code returned by the DHCP server
vendor_probation_time Probation time value from the log entry (if present)
vendor_correlation_id Correlation ID for the DHCP transaction (if present)
vendor_dhcid DHCP unique identifier (DHCID) for the client (if present)
vendor_class_hex Vendor class identifier in hexadecimal (e.g. 0x4D53465420352E30)
vendor_class_ascii Vendor class identifier decoded as ASCII (e.g. MSFT 5.0)
vendor_user_class_hex User class identifier in hexadecimal (if present)
vendor_user_class_ascii User class identifier decoded as ASCII (if present)
vendor_relay_agent_information Relay agent information option (Option 82) value (if present)
vendor_dns_reg_error DNS registration error code (0 = no error)
event_log_path Full path of the DHCP audit log file from which the event was read
event_reporter_hostname Hostname of the Windows server running the Filebeat agent
event_reporter_ip IP address of the Windows server running the Filebeat agent
event_reporter_mac MAC address of the Windows server running the Filebeat agent
event_reporter_id Unique identifier of the Filebeat host
event_uid Unique event identifier assigned by the Filebeat agent
event_source_product Source product identifier (value: microsoft_dhcp)
file_type Log file type as identified by Filebeat
service_name Name of the DHCP service (value: Microsoft DHCP Server — set for service lifecycle events 210000 / 210100)
gim_event_type_code Assigned GIM event type code(s) (e.g. 210000 / 210100 / 290300 / 299999)
gim_event_type Human-readable GIM event type label corresponding to the assigned code