Integrate Microsoft DHCP Server EventTracker Enterprise

Integrate Microsoft DHCP Server EventTracker Enterprise EventTracker Publication Date: Aug. 8, 2016 8815 Centre Park Drive Columbia MD 21045 www.e...
3 downloads 0 Views 1MB Size
Integrate Microsoft DHCP Server

EventTracker Enterprise

EventTracker

Publication Date: Aug. 8, 2016

8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com

EventTracker: Integrate Microsoft DHCP Server

Abstract This guide provides instructions to configure Microsoft DHCP Server to send the logs to EventTracker Enterprise.

Scope The configurations detailed in this guide are consistent with EventTracker Enterprise and Microsoft DHCP Server 2003 and later.

Target Audience Microsoft DHCP Server, who wish to forward logs to EventTracker Enterprise.

The information contained in this document represents the current view of Prism Microsystems Inc. on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, and Prism Microsystems cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism Microsystems MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism Microsystems may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. © 2016 Prism Microsystems Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

1

EventTracker: Integrate Microsoft DHCP Server

Table of Contents

Abstract.................................................................................................................................................. 1 Scope .................................................................................................................................................. 1 Target Audience ................................................................................................................................. 1 Overview ................................................................................................................................................ 3 Pre-requisite .......................................................................................................................................... 3 Configuration for sending logs to EventTracker ................................................................................... 3 Enable Auditing on DHCP server ....................................................................................................... 3 Configure log file monitor (LFM) for monitoring Microsoft DHCP Server ......................................... 6 EventTracker Knowledge Pack (KP)..................................................................................................... 11 Categories ........................................................................................................................................ 11 Alerts ................................................................................................................................................ 14 Reports............................................................................................................................................. 15 Import Microsoft DHCP Server Knowledge Pack into EventTracker .................................................. 19 Parsing Rules ................................................................................................................................... 19 Reports............................................................................................................................................. 21 Verify Knowledge Pack in EventTracker.............................................................................................. 21 Parsing Rules ................................................................................................................................... 21 Reports............................................................................................................................................. 22 Create Flex Dashboards in EventTracker ............................................................................................ 23 Schedule Reports ............................................................................................................................. 23 Create Dashlets................................................................................................................................ 25 Sample Dashboards............................................................................................................................. 29

2

EventTracker: Integrate Microsoft DHCP Server

Overview The DHCP (Dynamic Host Configuration Protocol) assigns IP address to client computers automatically. DHCP auditing helps administrator to track information on successful or failed lease grants, depletion of the server’s IP pool, or request for messages and their corresponding acknowledgements. EventTracker can analyze the audit logs and generate the reports for monitoring the activity of DNS update request and DNS update success, lease renewed and denied by the DHCP server.

Pre-requisite •

EventTracker Enterprise v7.x for report and alert should be installed.



Microsoft DHCP server should to be installed and configured.



EventTracker agent should be installed on Microsoft DHCP server.



Firewall between EventTracker manager and Microsoft DHCP server should be off or made exception for port 14505.

Configuration for sending logs to EventTracker NOTE: To forward logs to EventTracker Enterprise, DHCP auditing has to be enabled.

Enable Auditing on DHCP server 1. Log into the Server with administrator privileges. 2. Start->Programs->Administrative Tools->select DHCP.

3

EventTracker: Integrate Microsoft DHCP Server

Figure 1

3. Right click the (IPv4 or IPv6) DHCP server and select Properties tab.

4

EventTracker: Integrate Microsoft DHCP Server

Figure 2

4. Select the General tab. 5. Select the “Enable DHCP Audit logging” check box. 6. Click Apply and Ok.

5

EventTracker: Integrate Microsoft DHCP Server

Figure 3

NOTE: DHCP audit logs are located, by default, at the following path %windir%\System32\dhcp

Configure log file monitor (LFM) for monitoring Microsoft DHCP Server EventTracker uses Log File Monitor (LFM) in the Windows agent to access DHCP Server audit logs. To perform LFM configuration, deploy the EventTracker agent on DHCP server. Please refer EventTracker Agent installation guide. After installation of the ET agent, follow the below steps to configure LFM. 1. Select the Start button, select Prism Microsystems, and then select EventTracker Control Panel. 2. Click the icon EventTracker Agent Configuration.

6

EventTracker: Integrate Microsoft DHCP Server 3. Click on “Logfile Monitor’ tab and check “Logfile Monitor’ check box.

Figure 4

4. Click the button Add File Name and select the .csv file which has been generated and then click OK. 5. Select Get All Existing Log Files option.

7

EventTracker: Integrate Microsoft DHCP Server 6. In Select Log File Type drop down, select the CSV option. 7. Select “33’ as “Enter Header Line Number of the above file’. The final file details screen looks as below 8. Enter the path of the DHCP server logs in Enter File name.

9. Click the OK button.

Figure 5

10. Now, click the Search String button.

Figure 6

8

EventTracker: Integrate Microsoft DHCP Server 11. Select Add String.

Figure 7

12. Enter the string that needs to be searched in the selected logs. If any of the string matches, then a log is generated.

9

EventTracker: Integrate Microsoft DHCP Server

Figure 8

13. Click Save Now, the logs will be sent to the EventTracker Enterprise.

10

EventTracker: Integrate Microsoft DHCP Server

EventTracker Knowledge Pack (KP) Once logs are received in to EventTracker; Reports and Flex Dashboards can be configured into EventTracker. The following Knowledge Packs are available in EventTracker Enterprise to support Microsoft DHCP Server.

Categories Microsoft DHCP Server: Client address conflicts This category provides information related to IP address conflict detected by the DHCP server while renewing the IP address of lease expired. Microsoft DHCP Server: DHCP client configuration error This category provides information related to DHCP clients when any configuration error occurs. Microsoft DHCP Server: DHCP client network error This category provides information related to DHCP client service when any communication problem occurs while sending message to DHCP server. Microsoft DHCP Server: DHCP client trace event This category provides information related to DHCP client trace events, provides information about DHCP client service status. Microsoft DHCP Server: Authorization failure This category provides information related to DHCP server when authorization fails. Microsoft DHCP Server: Database backup and restore This category provides information related to DHCP server database backup and restore. Microsoft DHCP Server: Database integrity This category provides information related to DHCP server database integrity errors. Microsoft DHCP Server: Database migration This category provides information related to DHCP server database migration.

11

EventTracker: Integrate Microsoft DHCP Server Microsoft DHCP Server: Communication error This category provides information related to DHCP server when communication problem occurs between DHCP server and Domain controller. Microsoft DHCP Server: Service failure This category provides information related to DHCP server service when client is unable to renew its IP address, fails to initialize the network card interface and unable to automatically configure the IP parameters. Microsoft DHCP Server: Interface configuration error This category provides information related to DHCP server when interface is not configured correctly. Microsoft DHCP Server: Network policy server error This category provides information related to Network policy server error when DHCP server is not able to access Network Policy Server. Microsoft DHCP Server: Rogue detection This category provides information related to rogue DHCP servers, detected in the network. Microsoft DHCP Server: Audit logging error This category provides information related to DHCP server, when audit logging error occurs. Microsoft DHCP Server: BOOTP IP deleted This category provides information related to DHCP server when a Boot IP address is deleted after checking to see that it was not in use. Microsoft DHCP Server: BOOTP leased This category provides information related to DHCP server when a BOOTP address is leased to a client. Microsoft DHCP Server: BOOTP requested rejected This category provides information related to DHCP server when a BOOTP request could not be satisfied because the scope address pool for BOOTP is exhausted. Microsoft DHCP Server: DNS update failed This category provides information related to DHCP server when DNS update request fails for DHCP client.

12

EventTracker: Integrate Microsoft DHCP Server Microsoft DHCP Server: DNS update request This category provides information related to DHCP server request to update DNS for its client to the named DNS server. Microsoft DHCP Server: DNS update successful This category provides information related to DHCP Server when DNS update is successful. Microsoft DHCP Server: Dynamic BOOTP leased This category provides information related to DHCP Server when a dynamic BOOTP address is leased to a client. Microsoft DHCP Server: IP address conflict This category provides information related to DHCP Server when an IP address assigned to a client is found to be in use on the network. Microsoft DHCP Server: IP cleanup started This category provides information related to DHCP Server when IP address cleanup operation has begun. Microsoft DHCP Server: IP cleanup statistics This category provides information related to DHCP Server when IP address cleanup process completes and it logs IP address cleanup statistics. Microsoft DHCP Server: Lease deleted This category provides information when DHCP client IP address lease is deleted. Microsoft DHCP Server: Lease denied This category provides information related to DHCP Server when an IP address lease is denied. Microsoft DHCP Server: Lease expired This category provides information related to when DHCP client IP address lease that is expired. Microsoft DHCP Server: Lease released This category provides information related to DHCP Server when an IP address lease is released by a client.

13

EventTracker: Integrate Microsoft DHCP Server Microsoft DHCP Server: Lease renewed This category provides information related to DHCP Server when an IP address lease is renewed by a client. Microsoft DHCP Server: Lease request could not be satisfied This category provides information when DHCP client request could not be satisfied because the scope address pool is exhausted. Microsoft DHCP Server: Log paused This category provides information when DHCP Server activity logging is paused due to low disk space. Microsoft DHCP Server: Log started This category provides information when DHCP Server activity logging starts. Microsoft DHCP Server: Log stopped This category provides information when DHCP Server activity logging stops. Microsoft DHCP Server: New IP released This category provides information related to DHCP Server when a new IP address is assigned/leased to a DHCP client. Microsoft DHCP Server: *All DHCP events This category provides information related to all the events logged by DHCP service. Microsoft DHCP Server: DHCP critical events This category provides information related to all the critical events logged by DHCP service.

Alerts Microsoft DHCP Server: Authorization failure This alert is created when a DHCP Server authorization fails. Microsoft DHCP Server: Database migration This alert is generated when DHCP database migration occurs.

14

EventTracker: Integrate Microsoft DHCP Server Microsoft DHCP Server: Lease expired This alert is generated when DHCP lease is expired. Microsoft DHCP Server: Lease deleted This alert is generated when lease deleted by DHCP Server.

Reports •

Microsoft DHCP Server: Lease renewed by client

This report provides information related to lease renewed by client, when a client already has lease and needs to renew that lease with the DHCP server.

Figure 9

Logs Considered:

Figure 10

15

EventTracker: Integrate Microsoft DHCP Server •

Microsoft DHCP Server: Lease denied

This report provides the information related to lease denied, where client lease requests might be denied by the DHCP server for invalid (out of pool) or duplicate IP addresses to avoid IP addresses conflicts.

Figure 11

Logs Considered:

Figure 12



Microsoft DHCP Server: DNS update request

This report provides the information related to DNS update request, where DHCP assigns IP address to DNS client machine and sends request to DNS, to dynamically update client hostname i.e. host (A) and PTR resource records.

16

EventTracker: Integrate Microsoft DHCP Server

Figure 13

Logs Considered:

Figure 14



Microsoft DHCP Server: DNS update successful

This report provides the information about DNS update success, when DHCP sends request to DNS to update the resource records and these records are registered successfully by the DNS.

17

EventTracker: Integrate Microsoft DHCP Server

Figure 15

Logs Considered:

Figure 16

18

EventTracker: Integrate Microsoft DHCP Server

Import Microsoft DHCP Server Knowledge Pack into EventTracker 1. Launch EventTracker Control Panel. 2. Double click Export Import Utility icon, and then click the Import tab.

Figure 17

3. Click the Import tab. NOTE: Import knowledge pack as specified in the sequence. • •

Parsing Rules Reports

Parsing Rules 1. Click Token value option, and then click the browse

button.

19

EventTracker: Integrate Microsoft DHCP Server

Figure 18

2. Locate the All Microsoft DHCP Server parsing rules.istoken file, and then click the Open button. 3. To import tokens, click the Import button. EventTracker displays success message.

Figure 19

4. Click OK, and then click the Close button.

20

EventTracker: Integrate Microsoft DHCP Server

Reports 1. Click Report option, and then click the browse

button.

2. Locate All Microsoft DHCP Server group of reports.issch file, and then click the Open button. 3. Click the Import button to import the reports. EventTracker displays success message.

Figure 20

4. Click the OK button, and then click the Close button.

Verify Knowledge Pack in EventTracker Parsing Rules 1. In the EventTracker Enterprise web interface, click the Admin menu, and then click Parsing Rules. 2. Select Microsoft DHCP Server

21

EventTracker: Integrate Microsoft DHCP Server

Figure 21

Reports 1. 2. 3. 4.

Logon to EventTracker Enterprise. Click the Reports menu, and then Configuration. Select Defined in report type. In Report Groups Tree to view imported Scheduled Reports, scroll down and click Microsoft DHCP Server group folder. Reports are displayed in the Reports configuration pane.

22

EventTracker: Integrate Microsoft DHCP Server

Figure 22

Create Flex Dashboards in EventTracker NOTE: To configure the flex dashboards, schedule and generate the reports. Flex dashboard feature is available from EventTracker Enterprise v8.0.

Schedule Reports 1. Open EventTracker in browser and login. 2. Navigate to Reports>Configuration.

Figure 23

23

EventTracker: Integrate Microsoft DHCP Server

Figure 24

3. Select Microsoft DHCP Server in report groups. Check Defined option. 4. Click on ‘schedule’

to plan a report for later execution.

Figure 25

24

EventTracker: Integrate Microsoft DHCP Server

Figure 26

5. Choose appropriate time for report execution and in Step 8 check Persist data in Eventvault explorer box. 6. Check column names to persist using PERSIST checkboxes beside them. Choose suitable Retention period. 7. Proceed to next step and click Schedule button. 8. Wait till the reports get generated.

Create Dashlets 1. EventTracker 8 is required to configure flex dashboard. 2. Open EventTracker in browser and logon.

25

EventTracker: Integrate Microsoft DHCP Server

Figure 27

3. Navigate to Dashboard>Flex. Flex Dashboard pane is shown.

Figure 28

4. Click to add a new dashboard. Flex Dashboard configuration pane is shown

26

EventTracker: Integrate Microsoft DHCP Server

Figure 29

5. Fill suitable title and description and click Save button. 6. Click

to configure a new flex dashlet. Widget configuration pane is shown.

Figure 30

27

EventTracker: Integrate Microsoft DHCP Server 7. 8. 9. 10. 11. 12. 13. 14. 15.

Locate earlier scheduled report in Data Source dropdown. Select Chart Type from dropdown. Select extent of data to be displayed in Duration dropdown. Select computation type in Value Field Setting dropdown. Select evaluation duration in As Of dropdown. Select comparable values in X Axis with suitable label. Select numeric values in Y Axis with suitable label. Select comparable sequence in Legend. Click Test button to evaluate. Evaluated chart is shown.

Figure 31

16. If satisfied, click Configure button.

Figure 32

17.

Click ‘customize’

to locate and choose created dashlet.

28

EventTracker: Integrate Microsoft DHCP Server

Figure 33

Sample Dashboards 1. Microsoft DHCP Server Widget Title: Microsoft DHCP Server- Lease denied Data Source: Microsoft DHCP Server- Lease denied Chart Type: Donut Axis Label [X-axis]: Client Host Name Label Text: Client Host Name Legend Series: Client IP Address

Figure 34

29

Suggest Documents