Microsoft DHCP Source Adding via SMB

Introduction

This article provides information about the integration process for obtaining logs of the dhcp service used as a role on Microsoft Windows.

 

Source Integration

You can provide dhcp service logs to Logsign in 2 different ways with syslog and smb protocols. This article will provide information about obtaining it with smb protocol.

 

Requirements

The requirements needed before starting these procedures are as follows:

1- A user is required for the file to be read by the smb protocol.

2- Access to the 445 smb port of the IPs used by Logsign must be provided.

 

Integration

Access to the server to be logged in must be provided with an authorized user to perform the following procedures.

Dhcp service logs are located by default in the "C:\Windows\system32\dhcp" directory.

You can perform the following procedures to verify the log file directory.

 

Server Manager -> DHCP -> Dhcp Manager -> 

mceclip0.png

mceclip1.png

mceclip2.png

 

Log file directory: C:\Windows\system32\dhcp

 

File Sharing;

The following procedures are performed by accessing the log directory.

mceclip9.png

 

C:\Windows\System32\dhcp -> Properties -> Advanced Sharing -> 

Share this Folder -> must be activated.

Share Name -> The hidden share name should be defined for the user by writing dhcp$.

mceclip10.png

 

C:\Windows\System32\dhcp -> Properties -> Security -> Advance -> Permissions 

The user must be added and given read permission, and then Replace all child must be opened to ensure inheritance.

If Windows Firewall is active, make sure permissions are granted for smb access.

The procedures on the log source side have been completed.

 

Logsign Source Integration

Access to the "Settings -> Integration -> Data Collection ----> + Device" field must be provided for Logsign source integration.

mceclip11.png

 

After selecting SMBSHARE protocol as the device, the necessary fields must be completed.

mceclip12.png

 

After entering the required information, the connection must be tested with the check connection button.

 

Show Directory Tree: Allows us to see the files in the directory.

 

Use Credentials: You can use credentials instead of adding the user by constantly entering a password, and the passwords and users are stored encrypted, and you can use this credentials in similar sources.

 

For more information: Usage of User Credentials

 

Directory: The selected directory is displayed in this section. If you wish, you can enter the directory yourself and reach the directory you want when you check the connection.

mceclip13.png

 

After a successful connection, the directory is selected and the directory where the log file is located is reached.

We select the plugin by clicking Add Include Pattern.

mceclip14.png

 

Pattern Name: We give a name to the logs that will be sent to the plugin.

Include Pattern: We write the name of the log file, and we used * in this line, applying this procedure for some files with pattern problems.

Vendor List, Product: We select the plugin to make the logs meaningful. And we say Save Pattern.

mceclip15.png

 

Read Static Files: When logs start to be taken, they are read from the last line, which means that your past logs will not be taken, if you activate this field, you will also have taken the past logs in this file.

Period: The second type control time for log acquisition of the log source.

Max Line Length: It means the length of the log line, if you do not know the length of the log line, leave it at the default value.

Offset: It is used to correct the time difference on the source.

Check Health: Controls the log sending time of the source.

Check EPS Average: It controls the instant increase of the incoming log.

Device Name: The field where the name of the log source is defined.

Group: Enables you to create a group if there are multiple resources.

mceclip16.png

 

End your operations with Save. You can see the logs of the newly added resources in the user interface within 2-3 minutes. If you have activated the Read Static option, this process may take longer.

mceclip17.png

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.