DHCP security..

I'm trying to monitor DHCP requests for security purposes. I set DHCP server up to write out logs, but I need it to be listed in the event viewer.  I have a program that can monitor pretty much anything, except read log files. Does anyone know how this can be changed so I can know when someone plugs into my network and an IP is assigned to them.

Who is Participating?
JoeteckConnect With a Mentor Author Commented:
I have only 50 computers, as the MAC address idea sounds good, but more inconvenient for me when setting up new workstations.

So what you're saying that my request is not possible...

I want to know when the IP address is being leased again, and any new ones if there should be.

I find it very silly of microsoft not to have that as an event viewer event.

They have everything else writing to the thing...
Depending on the size of your network and the level of security you need you may want to consider setting all DHCP addresses to be reserved by MAC address.  Then only machines with a MAC address listed will be assigned an IP address.  (I've done this for a 16k node network before.)

MAC address spoofing is possible, but that issue depends on the complexity of attack that you need to worry about.

Overall it sound like you might want to look into a IDS.
I don't know of a way to write dhcp requests to the Event Logs, but you might be able to use LogParser to analyze the dhcp logs, which are just comma delimited text files. See:

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

JoeteckAuthor Commented:
I found this vb script, but it does not seem to work... I have it setup as a scheduled event.

'**** DHCP Server Log Checking Script (Version 2.0)
'**** Copyright © 2005 Chris Pratt
'**** You may use this script free of charge but may not make any changes except to the variables to meet your needs
'**** without the permission of the author.
'**** The script is best set-up to run as a scheduled task. It can check for any event ID in the DHCP Server logs.
'**** It does not need to run on the DHCP server but you will need the full UNC path and the user that the script
'**** is set to run as will need rights to the servers log file areas.
'**** The interval is configurable and your scheduled task running time should be set to match that so areas of the
'**** logs don't go unchecked.
'**** Version 2.0 - Now for Windows Server 2003 DHCP (Use version 1.0 for 2000)
'On Error resume next

strOSversion = "2000" ' Choose 2000 or 2003 to match your version of Windows Server - This is your DHCP Server version
strDHCPServer = "appserver" ' Change to the name of your DHCP server

strfindtime = dateadd("n", -10, Time)           ' Change this figure (-30) to set interval between checking (in minutes)
intfindtime = 10 ' Change this value to match the one above
strtoday = (WeekdayName(Weekday(Date),true))

if strOSversion = "2003" then
            strlogfile = "\\" & strDHCPServer & "\c$\windows\system32\dhcp\dhcpsrvlog-" & strtoday & ".log"
            strlogfile = "\\" & strDHCPServer & "\c$\winnt\system32\dhcp\DhcpSrvlog." & strtoday
      End if

streventid = "10"    ' Change to meet what event you want to check for - See the beginning of a log to see a definition list of the Event ID's

Dim strTo, strSubject, strBody, i
Dim objCDOMail
strTo = "user@domain.com" ' Who the e-mail goes to
strSubject = "DHCP IP Alert" 'subject of the e-mail
set objCDOMail = CreateObject("CDONTS.NewMail")
objCDOMail.From = "admin@domain.com" ' who the e-mail is from
objCDOMail.From    =  "SYSTEM <Administrator@domain.com>" ' who the e-mail is from
foundentry = 0
strBody = ""
const forreading = 1
set objfso = createobject("Scripting.filesystemobject")
set objtextfile = objfso.opentextfile(strlogfile, forreading)
do while objtextfile.atendofstream <> True
ceventid = ""
posfind = 0
strline = objtextfile.readline

if instr(strline, "ID Date,Time,Description,IP Address,Host Name,MAC Address") then
            strline = objtextfile.readline

      end if

if instr(strline, ",") then
            arrdhcprecord = split(strline, ",", 7)
            ceventid = arrdhcprecord(0)
            ceventdte = arrdhcprecord(1)
            ceventtime = arrdhcprecord(2)
            ceventdesc = arrdhcprecord(3)
            ceventip = arrdhcprecord(4)
            ceventhost = arrdhcprecord(5)
            ceventmac = arrdhcprecord(6)

      End if

findtime = datediff("n", ceventtime, strfindtime)

if findtime < intfindtime then
            posfind = posfind + 1

      end if

if ceventid = streventid then
            posfind = posfind + 1

end if

if findtime > 0 then
            posfind = posfind + 1

      end if

if posfind = 3 then
            strBody = strBody & "===================" & vbCrLf
            strBody = strBody & " DHCP Server Alert" & vbCrLf
            strBody = strBody & "===================" & vbCrLf
            strBody = strBody & vbCrLf
            strBody = strBody & "Event ID: " & ceventid & vbCrLf
            strBody = strBody & "Date: " & ceventdte & vbCrLf
            strBody = strBody & "Time: " & ceventtime & vbCrLf
            strBody = strBody & "Desc: " & ceventdesc & vbCrLf
            strBody = strBody & "IP: " & ceventip & vbCrLf
            strBody = strBody & "Host: " & ceventhost & vbCrLf
            strBody = strBody & "Mac: " & ceventmac & vbCrLf
            strBody = strBody & "FindTime: " & findtime & vbCrLf
            strBody = strBody & vbCrLf
            foundentry = 1

      end if


if foundentry = 1 then
objCDOMail.To      = strTo
objCDOMail.Subject = strSubject
objCDOMail.Body    = strBody
Set objCDOMail = Nothing

end if

JoeteckAuthor Commented:
Cllose this question please, and give back my points
You can post a 0-point question in the support area (link at upper-right corner of this page) and ask them to close the question.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.