All, I'm after some help monitoring the DHCP logs on a Windows 2008 server.
Basically, I'm trying to monitor when an IP address is assigned or renewed to anything that doesn't belong to our domain.
The rules I've got set up on the policy are: 1. Ignore any line with our domain name in it 2. Ignore any line containing one of our pc names 3. Ignore any line containing the word NACK 4. Ignore any line with a blank Host Name 5. Generate a message on all remaining RENEW and ASSIGN lines
I'm having trouble with Rule 4 (ignore anything with a blank Host Name) ie. the ,, (double comma) after the IP Address in the log extract below. The last line is the type of thing I want to generate a message on.
I can't just look for L-031699.xxxx.local as these host names will obviously all be different.
I've changed the Field Separator to a ',' for this rule and tried pretty much every combination of pattern matching I can think of. Funny thing is I'm only modifying a policy which used to work perfectly on a Windows 2003 DHCP server but I don't have a W2003 dhcp log to compare with.
The W2003 pattern that used to work was:
I'm sure this shouldn't be as hard as I'm making it and I'm missing something obvious. I've not done much with logfile monitoring policies or pattern matching before, so any suggestion for Rule 4 would be much appreciated!
which my policy failed to pick up. I think the rule is not matching the commas to the right fields as during my testing, I got this message back a couple of times:
A DHCP lease was renewed by a client:
Host Name: 0
IP Address: 10.10.xxx.x,XXX_TEST.,180373X55XXX,,1588241571
MAC Address: ,
The actual line in the DHCP log was similar to the one above, but obviously with a different host name. Somehow, the policy is picking up the QResult as the Host Name and using the column headings "IP Address,Host Name,MAC Address,User Name and TransactionID" as the IP Address.
I've changed the pattern matching on the rules to use a comma, so it should being looking for these as separators, right?
How do other people monitor these logon events - does anyone know of a better / easier way to do this?
I've changed mattern matching for the whole policy to a comma, 'Applied to All' and then replaced all the commas with a <_> for all rules. I've also added the '^' to all rules with matches that start at the beginning of the logfile line.
I've have tested the rules for this policy in the past, but only one at a time from the modify conditions window. Even though they matched, the whole policy still didn't work. I suspect now this was because I didn't test all the rules at the same time and in the correct order...
Things are looking up already though as we finally have a couple of messages and emails with the correct Host Names, IP Addresses, MAC address, date and time stamps so I think we've cracked it!
I'll do a bit more testing to make sure I'm catching everything I need and post back...