Event ID 1028 — DHCP Audit Logging

Applies To: Windows Server 2008

Dynamic Host Configuration Protocol (DHCP) servers include several logging features and server parameters that provide enhanced auditing capabilities. You can specify the following features:

  • The file path in which the DHCP server stores audit log files. DHCP audit logs are located by default at %windir%\System32\Dhcp.
  • A maximum size restriction (in megabytes) for the total amount of disk space available for all audit log files created and stored by the DHCP service.
  • An interval for disk checking that is used to determine how many times the DHCP server writes audit log events to the log file before checking for available disk space on the server.
  • A minimum size requirement (in megabytes) for server disk space that is used during disk checking to determine if sufficient space exists for the server to continue audit logging.

Event Details

Product: Windows Operating System
ID: 1028
Source: Microsoft-Windows-DHCP-Server
Version: 6.0
Symbolic Name: EVENT_SERVER_INIT_AUDIT_LOG_FAILED
Message: The DHCP service failed to initialize the audit log. The following error occurred:
%1

Resolve

Give the DHCP service account permissions to audit log files and folders

The event log cannot function correctly unless proper file permissions are assigned to the log files. You might need to do the following:

  • Assign permissions to the audit log files so that the service can write to them.
  • Assign user write permissions to the folder where the audit log file is created.

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

To change permissions on files and folders:

  1. At the DHCP server, click Start, point to All programs, point to Accessories, and then click Windows Explorer.
  2. Navigate the directory tree to %windir%\System32\Dhcp, right-click the folder, click Properties, and then click the Security tab.
  3. Complete one of the following as needed:
  • To set permissions for a group or user that does not appear in the Group or user names box, click Add, type the name of the group or user, and then click OK.
  • To change or remove permissions from an existing group or user, click the name of the group or user.
  • To allow or deny a permission, in the Permissions for User or Group box, select the Allow or Deny check box.
  • To remove the group or user from the Group or user names box, click Remove.

Notes

  • You can only set file and folder permissions on drives formatted to use NTFS.
  • To change permissions, you must be the owner or have been granted permission by the owner to do so.
  • Groups or users who are granted Full Control for a folder can delete files and subfolders within that folder, regardless of the permissions that protect the files and subfolders.
  • If the check boxes under Permissions for User or Group are shaded or if the Remove button is unavailable, then the file or folder has inherited permissions from the parent folder.
  • When adding a new user or group, by default, this user or group will have Read, Read and Execute, and List Folder Contents permissions.

Verify

To verify that the DHCP audit log is functioning correctly:

  1. At the DHCP server, click Start, type Windows Explorer in Start Search, and then press ENTER.
  2. Navigate the Windows Explorer tree to %windir%\System32\Dhcp.
  3. View and record the most recent DHCP log file date stamps. They should be recent. Repeat this process at regular intervals and note whether new events are being logged.

DHCP Audit Logging

DHCP Infrastructure