This article provides information about the integration process for obtaining logs of the dhcp service used as a role on Microsoft Windows.
You can provide dhcp service logs to Logsign in 2 different ways with syslog and smb protocols. This article will provide information about obtaining it with smb protocol.
The requirements needed before starting these procedures are as follows:
1- A user is required for the file to be read by the smb protocol.
2- Access to the 445 smb port of the IPs used by Logsign must be provided.
Access to the server to be logged in must be provided with an authorized user to perform the following procedures.
Dhcp service logs are located by default in the "C:\Windows\system32\dhcp" directory.
You can perform the following procedures to verify the log file directory.
Server Manager -> DHCP -> Dhcp Manager ->
Log file directory: C:\Windows\system32\dhcp
The following procedures are performed by accessing the log directory.
C:\Windows\System32\dhcp -> Properties -> Advanced Sharing ->
Share this Folder -> must be activated.
Share Name -> The hidden share name should be defined for the user by writing dhcp$.
C:\Windows\System32\dhcp -> Properties -> Security -> Advance -> Permissions
The user must be added and given read permission, and then Replace all child must be opened to ensure inheritance.
If Windows Firewall is active, make sure permissions are granted for smb access.
The procedures on the log source side have been completed.
Logsign Source Integration
Access to the "Settings -> Integration -> Data Collection ----> + Device" field must be provided for Logsign source integration.
After selecting SMBSHARE protocol as the device, the necessary fields must be completed.
After entering the required information, the connection must be tested with the check connection button.
Show Directory Tree: Allows us to see the files in the directory.
Use Credentials: You can use credentials instead of adding the user by constantly entering a password, and the passwords and users are stored encrypted, and you can use this credentials in similar sources.
For more information: Usage of User Credentials
Directory: The selected directory is displayed in this section. If you wish, you can enter the directory yourself and reach the directory you want when you check the connection.
After a successful connection, the directory is selected and the directory where the log file is located is reached.
We select the plugin by clicking Add Include Pattern.
Pattern Name: We give a name to the logs that will be sent to the plugin.
Include Pattern: We write the name of the log file, and we used * in this line, applying this procedure for some files with pattern problems.
Vendor List, Product: We select the plugin to make the logs meaningful. And we say Save Pattern.
Read Static Files: When logs start to be taken, they are read from the last line, which means that your past logs will not be taken, if you activate this field, you will also have taken the past logs in this file.
Period: The second type control time for log acquisition of the log source.
Max Line Length: It means the length of the log line, if you do not know the length of the log line, leave it at the default value.
Offset: It is used to correct the time difference on the source.
Check Health: Controls the log sending time of the source.
Check EPS Average: It controls the instant increase of the incoming log.
Device Name: The field where the name of the log source is defined.
Group: Enables you to create a group if there are multiple resources.
End your operations with Save. You can see the logs of the newly added resources in the user interface within 2-3 minutes. If you have activated the Read Static option, this process may take longer.