DHCP Audit Logging

  • Article

The Windows 2000 DHCP service includes several new logging features and server parameters that provide enhanced auditing capabilities.

The audit logging behavior discussed in this section applies only to the DHCP service provided with Windows 2000 Server. It replaces the previous DHCP logging behavior used in earlier versions of Windows NT Server, which do not perform audit checks and use only a single log file named Dhcpsrv.log for logging service events.

The formatted structure of DHCP service logs and the level of reporting maintained for audited logging are the same as in earlier versions of the Windows DHCP service. For more information on the structure of the logs, you can review the header section of each log in a text-editing program such as Notepad.

You can now specify the following features:

  • The directory path in which the DHCP service stores audit log files.

  • A maximum size restriction (in MB) for the total amount of disk space available for all the audit log files created and stored by the DHCP service.

  • An interval for disk checking that is used to determine how many times the DHCP server writes audit log events to the log file before checking for available disk space on the server.

  • A minimum size requirement (in MB) for server disk space that is used during disk checking to determine if sufficient space exists for the server to continue audit logging.

Through the DHCP Properties dialog boxes, you can specify:

  • The directory path in which the DHCP server stores audit log files.

  • A maximum size restriction (in megabytes) for the total amount of disk space available for all audit log files created and stored by the DHCP service.

  • An interval for disk checking that is used to determine how many times the DHCP server writes audit log events to the log file before checking for available disk space on the server.

  • A minimum size requirement (in megabytes) for server disk space that is used during disk checking to determine if sufficient space exists for the server to continue audit logging.

See the online documentation for procedural information about specifying these parameters.

Naming Audit Log Files

The name of the audit log file is based on the current day of the week, as determined by the server's current date and time.

then the server's audit log file is named DhcpSrvLog.Sat.

Starting a Daily Audit Log

When the DHCP server starts or whenever a new day of the week occurs (when local time on the computer is 12:00 A.M.), the server writes a header message in the audit log file, indicating that logging started. Depending on whether the audit log file is a new or existing file, the following actions occur next:

  • If the audit log file has existed without modification for more than 24 hours, it is overwritten.

  • If the file has existed but was modified within the previous 24 hours, the file is not overwritten. New logging activity is appended to the existing file.

Disk Checks

After audit logging starts, the DHCP server performs disk checks at regular intervals to ensure the ongoing availability of server disk space and that the current audit log file does not become too large or that log-file growth is not occurring too rapidly.

The DHCP server performs a full disk check whenever either of the following conditions occurs:

  • A set number of events are logged.

  • The date changes on the server computer.

The interval that is used to determine the frequency of periodic disk checks is set for n number of logged events, where n is specified by the value of the registry entry DhcpLogDiskSpaceCheckInterval .

Each time a disk check is completed, the DHCP service checks to see if the server disk space is full. The disk is considered full if either of the following conditions is true:

  • Disk space on the server computer is lower than the required minimum amount for DHCP audit logging. This is determined by the configured value of the DhcpLogMinSpaceOnDisk entry. The default is 20 MB .

  • The current audit log file is larger than one-seventh (1/7) of the maximum allotted space or size for the combined total of all audit logs currently stored on the server. This is determined by a value obtained by dividing the value of the DhcpLogFilesMaxSize entry by 7—the maximum number of potential audit log files that can be stored on the server computer. For example, if the DhcpLogFilesMaxSize entry is set to its default value of 7 , the largest size that the current audit file could reach is 1 MB.

If the disk is full, the DHCP server closes the current file and ignores further requests to log audit events until either 12:00 A.M. or until disk status is improved and the disk is no longer full.

Even if audit log events are ignored because of a full-disk condition, the DHCP server continues checking every n number of attempted log events to see if disk conditions on the server computer have improved. The number is set in the DhcpLogDiskSpaceCheckInterval entry. If subsequent disk checks determine that the required amount of server disk space is available, the DHCP service reopens the current day's log file and resumes logging.

Ending a Daily Audit Log

At 12:00 A.M. local time on the server computer, the DHCP server closes the existing log and moves to the log file for the next day of the week. For example, if the day of the week changes at 12:00 A.M. from Wednesday to Thursday, the log file named DhcpSrvLog.wed is closed and the file named DhcpSrvLog.thu is opened and used for logging events.