Microsoft DHCP Server Log Analizi

Microsoft DHCP Server Audit Log

 

Microsoft DHCP Server Audit Log dosyaları varsayılan olarak açık gelmektedir. Microsoft DHCP Server Audit log kayıtları

”C:\Windows\System32\dhcp\” dizini altında haftanın 7 günü için oluşturulan log dosyalarına döngüsel halde kaydedilmektedir.

 

Microsoft DHCP Server Audit log formatı

 

“ID, Date, Time, Description, IP Address, Host Name, MAC Address”

 

Microsoft DHCP Server Örnek Log

 

ID,Date,Time,Description,IP Address,Host Name,MAC Address

11,09/19/11,17:55:55,Renew,192.168.1.56,Ty-PC.test2008,0017C4E45C2B

 

Microsoft DHCP Server Audit Log Fields

 

Field

Description

ID

A DHCP server event ID code.

Date

The date on which this entry was logged on the DHCP server.

Time

The time at which this entry was logged on the DHCP server.

Description

A description of this DHCP server event.

IP Address

The IP address of the DHCP client.

Host Name

The host name of the DHCP client.

MAC Address

The media access control (MAC) address used by the network adapter hardware of the client.

 

 

Microsoft DHCP Server Event Code

Event ID

Description

00

The log was started.

01

The log was stopped.

02

The log was temporarily paused due to low disk space.

10

A new IP address was leased to a client.

11

A lease was renewed by a client.

12

A lease was released by a client.

13

An IP address was found in use on the network.

14

A lease request could not be satisfied because the address pool of the scope was exhausted.

15

A lease was denied.

20

A Bootstrap Protocol (BOOTP) address was leased to a client.

 

Event ID

Description

30

DNS dynamic update request

31

DNS dynamic update failed

32

DNS dynamic update successful

 

Event ID

Description

50

Unreachable domain

The DHCP server did not locate the specific domain for its configured Active Directory installation.

51

Authorization succeeded

The DHCP server was authorized to start on the network.

52

Upgraded to a Windows Server 2008 operating system

The DHCP server was recently upgraded to a Windows Server 2008 operating system, and, therefore, the unauthorized DHCP server detection feature (used to determine whether the server has been authorized in AD DS) was disabled.

53

Cached Authorization

The DHCP server was authorized to start using previously cached information. AD DS could not be found at the time the server was started on the network.

54

Authorization failed

The DHCP server was not authorized to start on the network. When this event occurs, it is likely followed by the server being stopped.

55

Authorization (servicing)

The DHCP server was successfully authorized to start on the network.

56

Authorization failure, stopped servicing

The DHCP server was not authorized to start on the network and was shut down by the operating system. You must first authorize the server in AD DS before starting it again.

57

Server found in domain

Another DHCP server exists and is authorized for service in the same domain.

58

Server did not find domain

The DHCP server did not locate the specified domain.

59

Network failure

A network-related failure prevented the server from determining if it is authorized.

60

No domain controller is directory service enabled

No domain controller running Windows Server 2008 was located. For detecting whether the server is authorized, a domain controller that is enabled for AD DS is required.

61

Server found that belongs to DS domain

Another DHCP server was found on the network that belongs to the Active Directory domain.

62

Another server found

Another DHCP server was found on the network.

63

Restarting rogue detection

The DHCP server is trying again to determine whether it is authorized to start and provide service on the network.

64

No DHCP enabled interfaces

The DHCP server has its service bindings or network connections configured so that it is not enabled to provide service. This usually means one of the following:

  • The network connections of the server are either not installed or not actively connected to a network.
  • The server has not been configured with at least one static IP address for one of its installed and active network connections.
  • All of the statically configured network connections for the server are disabled.

 

 

Başka sorularınız var mı? Bir talep gönder

Yorumlar