Audit logging

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Audit logging

DHCP servers running Windows Server 2003 include several logging features and server parameters that provide enhanced auditing capabilities. You can specify the following features:

  • The directory path in which the DHCP server stores audit log files. DHCP audit logs are located by default at %windir%\System32\Dhcp.

  • A maximum size restriction (in megabytes) for the total amount of disk space available for all audit log files created and stored by the DHCP service.

  • An interval for disk checking that is used to determine how many times the DHCP server writes audit log events to the log file before checking for available disk space on the server.

  • A minimum size requirement (in megabytes) for server disk space that is used during disk checking to determine if sufficient space exists for the server to continue audit logging.

Notes

  • You can selectively enable or disable the audit logging feature at each DHCP server. For more information, see Enable DHCP server logging.

  • Only the directory path in which the DHCP server stores audit log files can be modified using the DHCP console. To do so, first select the applicable DHCP server in the console tree. On the Action menu, click Properties. Next, click the Advanced tab and edit Audit log file path as necessary.

  • Other audit logging parameters described above are adjusted through registry-based configuration changes. For more information about the Windows Server 2003 DHCP server registry, see "Dynamic Host Configuration Protocol" at the Microsoft Windows Resource Kits Web site.

How audit logging works

The audit logging behavior discussed in this section applies only to Windows 2000 DHCP and Windows Server 2003 DHCP. It replaces the previous DHCP logging behavior used in earlier versions of Windows NT Server, which do not perform audit checks and use only a single log file named Dhcpsrv.log for logging service events.

The formatted structure of DHCP server logs and the level of reporting maintained for audited logging are the same as in earlier DHCP server versions provided with Windows NT Server. For more information, see Analyzing server log files.

Naming audit log files

The DHCP Server service bases the name of the audit log file on the current day of the week, as determined by checking the current date and time at the server.

For example, when the DHCP server starts, if the current date and time are:

Monday, April 7, 2003, 04:56:42 P.M.

then the server audit log file is named:

DhcpSrvLog-Mon

Starting a daily audit log

When a DHCP server starts or a new day begins (when the local time on the computer is 12:00 A.M.), the server writes a header message in the audit log file, indicating that logging has started. Then, depending on whether the audit log file is a new or existing file, the following actions occur:

  • If the file already existed without modification for more than a day, it is overwritten.

  • If the file already existed but was modified within the previous 24 hours, the file is not overwritten. Instead, new logging activity is appended to the end of the existing file.

Disk checks

After audit logging starts, the DHCP server performs disk checks at regular intervals, to ensure both the ongoing availability of server disk space and that the current audit log file does not become too large or that log-file growth is not occurring too rapidly.

The DHCP server performs a full disk check whenever either of the following conditions occurs:

  • A set number of server events are logged.

  • When the date changes on the server computer.

By default, the DHCP server performs a periodic disk space check for every 50 events it writes to the audit log. A date change can also be detected by the DHCP server when the server computer reaches 12:00 A.M. on its locally set clock.

Each time a disk check is completed, the server determines whether disk space is filled. The disk is considered full if either of the following conditions is true:

  • Disk space on the server computer is lower than the required minimum amount for DHCP audit logging.

    By default, if the amount of disk space remaining on the server disk reaches less than 20 megabytes, audit logging is halted.

  • The current audit log file is larger than one-seventh (1/7) of the maximum allotted space or size for the combined total of all audit logs currently stored on the server.

    At the time of the disk check, the DHCP server compares the exact size (in megabytes) of the current audit log file with a value obtained by dividing the current value for the maximum number of log files the server permits to be stored simultaneously before overwriting and discarding of older log files. By default, seven is the maximum number of log files the server permits to be stored, one for each day of the week. Assuming the default is set, the largest size that the current audit log file can reach is one megabyte.

In either case, if the disk is full, the DHCP server closes the current file and ignores further requests to log audit events until either 12:00 A.M. or until disk status is improved and the disk is no longer full.

Even if audit logged events are ignored because of a disk full condition, the DHCP server continues disk checking every 50 events (or the currently set interval) to determine whether disk conditions have improved. If subsequent disk checks determine that the required amount of server disk space is available, the DHCP server reopens the current log file and resumes logging.

Ending a daily audit log

At 12:00 A.M. local time on the server computer, the DHCP server closes the existing log and moves to the log file for the next day of the week. For example, if the day of the week changes at 12:00 A.M. from Wednesday to Thursday, the log file named DhcpSrvLog-Wed is closed, and the file named DhcpSrvLog-Thu is opened and used for logging events.