Using Audit Logging to Analyze DHCP Server Behavior

The DHCP Server service stores an audit log in %SystemRoot%\System32\DHCP. The DHCP Server service bases the name of the audit log file on the current day of the week, as determined by checking the current date and time at the server. For example, when the DHCP server starts, if the current date is Monday, October 8, 2007, the IPv4 audit log file is named DhcpSrvLog-Mon, and the IPv6 audit log file is named DhcpV6SrvLog-Mon. The DHCP Server starts a new log file at midnight and overwrites log files from the previous week.

By default, the DHCP Server service stops audit logging if disk space is less than 20MB or the current log file is larger than one-seventh the maximum allotted space or size for the combined total of all audit logs currently stored on the server. By default, each log file can be a maximum of 10MB. You can change the maximum size by multiplying the desired value by seven (for each day of the week) and storing the value in the HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Services\DHCPServer\Param eters\DhcpLogFilesMaxSize registry value.

Each audit log file begins with a description of the different event codes and the fields in the log file. Therefore, audit log files are self-explanatory. Audit logging is enabled by default.


To Enable or Disable Audit Logging

1. Click Start, click Administrative Tools, and then click DHCP.

2. Expand your server name, right-click either IPv4 or IPv6, and then click Properties.

3. On the General tab, select the Enable DHCP Audit Logging check box, and then click OK.


To Change the Audit Log File Path

1. Click Start, click Administrative Tools, and then click DHCP.

2. Expand your server name, right-click either IPv4 or IPv6, and then click Properties.

3. On the Advanced tab, click Browse to select the audit log file path, and then click OK.