InsightIDR

DHCP

DHCP is one of the foundational event sources in InsightIDR, meaning it is critically important for user attribution. DHCP servers lease IP addresses to endpoints on the network; InsightIDR monitors these lease events, allowing the tool to map IP addresses back to hostnames in your environment. Understanding these relationships is critical, as many other event sources will only include IP addresses in their logs. With DHCP data, InsightIDR will automatically correlate IP addresses with endpoints.

InsightIDR will reinforce hostname to IP mappings via the Insight Agent.

Using Azure in your environment? Click here for more information.

Before You Begin

There are several things you must do before you can start collecting DHCP logs.

First, decide how to collect your DHCP logs:

Then, decide how to address the following issues:

After you make these decisions, you can configure one of the supported DHCP event sources:

DHCP Server Logs via Watch Directory

The Insight platform can collect DHCP audit logs. To prepare to collect the DHCP audit trail, DHCP logs need to be written into a folder that the collector can connect to as a network share. This folder should be changed from the default location and should contain only the DHCP logs.

Do not use the default folder location.

If you use the default folder, other DHCP binary files will also be present in this folder, causing the InsightIDR DHCP event source to produce warnings when it tries to read these files. This may potentially disrupt the Microsoft DHCP service.

Rapid7 recommends that the folder for DHCP logging resides on the root (C) drive of the server that hosts the DHCP. For example, C:\dhcplogs

To start collecting DHCP server logs:

  1. Create a folder for the DHCP logs. C:\dhcplogs is the recommended directory for storing DHCP logs.
  2. Right click the folder and select Properties from the drop-down menu.
  3. In the "Properties" dialog, click the Sharing tab and then click the Advanced Sharing button.
  4. In the "Advanced Sharing" dialog, select Share this folder and then click the Permissions button.
    5 In the "Share Permissions" dialog, click the Add button and provide the credential that accesses this file. Include the user name and password for this credential in InsightIDR when the DNS event source is set up.
  5. Launch the DHCP console.
  6. Right click IPv4, and select Properties from the drop-down menu.
  1. Click the Advanced tab. In the "Audit log file path" field, change the destination folder to the folder that stores the DHCP logs.

How to Configure This Event Source with Watch Directory

In InsightIDR, you can configure the DHCP event source to read the shared folder via UNC notation (Universal Naming Convention) and by providing the credential that was used when setting up the shared folder.

  1. From your dashboard, select Data Collection on the left hand menu.

  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.

  3. From the “Security Data” section, click the DHCP icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.

  5. Choose a time zone and optionally display only US time zones.
  6. Optionally choose to send unfiltered logs.
  7. Configure any Advanced Event Source Settings.
  8. Select Watch Directory as your collection method.
  9. Specify the folder path you configured previous and enter a scan interval.
  10. Optionally a file pattern and watch a shared remote directory, such as DhcpSrvLog*.log.
  11. Click Save.

DHCP Logs via Syslog

Before you can setup a DHCP event source to listen for syslog, ensure that the DHCP host is logging all DHCP activity.

Additionally, make sure you configure the DHCP host to send logs to a collector on a unique UDP or TCP port (above 1024) and by specifying it as a syslog server.

How to Configure This Event Source with Syslog

  1. From your dashboard, select Data Collection on the left hand menu.

  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.

  3. From the “Security Data” section, click the DHCP icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.

  5. Choose a time zone and optionally display only US time zones.
  6. Optionally choose to send unfiltered logs.
  7. Configure any Advanced Event Source Settings.
  8. Select Listen for Syslog* and specify a port and a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  9. Click Save.

DHCP Coverage

In a full deployment, you'll need to configure DHCP event sources for all DHCP servers in your environment. If you notice unknown values for assets or users in Log Search (such as in the screenshot below), it is typically due to lacking DHCP data.

Unknown Asset

Unknown Asset

Unknown IP Addresses

When possible, configure additional DHCP event sources and/or endpoint monitoring so that InsightIDR can correlate these IP addresses with hostnames.

See IP Addresses for more information.

Azure and DHCP

For InsightIDR, the user attribution relies on accurate and up-to-date hostname to IP mappings, which are typically provided by a DHCP server. While Azure does have an API to provide a listing of all the Azure hosts and the corresponding IP addresses, the API does not update in realtime and therefore cannot be used for attribution in InsightIDR.

In order to attribute assets in an Azure environment, you must install the The Insight Agent, on all assets in your Azure environment, and provision a Collector in your Azure network to deliver the agent logs to InsightIDR (no event sources are required to be installed on this Collector to support the Insight Agent). The agent will provide up to date hostname to IP information for the assets it is installed on.

Troubleshooting Configuration Issues

If the DHCP or DNS event sources experience an error, the event source icon will turn to a yellow warning or red failure. Moving the mouse over the icon will reveal the details of the error. Typical errors of this sort are failure to connect to the server, bad credentials, or failure to find the file or folder configured in the event source.

Sometimes the DHCP and DNS event sources might not be reading any logs even if they don't show a warning or error. In this situation, try the following tests.

  • Can you connect to the DHCP or DNS server file share when you log on to the machine running the InsightIDR collector?
  • Is there a typo in the file pattern in the DHCP configuration? If the file pattern is wrong, none of the files in the directory will match.
  • Has srv.sys been set to start on demand on the server? Srv.sys should be set to start on demand. For more information, please read Srv.sys.

DHCP


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.