Using Audit Logging to Analyze DHCP Server Behavior
The DHCP Server service stores an audit log in
%SystemRoot%\System32\DHCP. The DHCP Server service bases the name of the audit log file on the current day of the week, as determined by checking the current date and time at the server. For example, when the DHCP server starts, if the current date is Monday, October 8, 2007, the IPv4 audit log file is named
DhcpSrvLog-Mon, and the IPv6 audit log file is named
DhcpV6SrvLog-Mon. The DHCP Server starts a new log file at midnight and overwrites log files from the previous week.
By default, the DHCP Server service stops audit logging if disk space is less than 20MB or the current log file is larger than one-seventh the maximum allotted space or size for the combined total of all audit logs currently stored on the server. By default, each log file can be a maximum of 10MB. You can change the maximum size by multiplying the desired value by seven (for each day of the week) and storing the value in the
HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Services\DHCPServer\Param eters\DhcpLogFilesMaxSize registry value.
Each audit log file begins with a description of the different event codes and the fields in the log file. Therefore, audit log files are self-explanatory. Audit logging is enabled by default.
To Enable or Disable Audit Logging
1. Click
Start, click
Administrative Tools, and then click
DHCP.
2. Expand your server name, right-click either
IPv4 or
IPv6, and then click
Properties.
3. On the General tab, select the
Enable DHCP Audit Logging check box, and then click OK.
To Change the Audit Log File Path
1. Click
Start, click
Administrative Tools, and then click
DHCP.
2. Expand your server name, right-click either
IPv4 or
IPv6, and then click
Properties.
3. On the Advanced tab, click
Browse to select the
audit log file path, and then click
OK.