DHCP audit using ELK stack

We were interested in monitoring DHCP leases in our environment using ELK stack. As we do currently not have Beats, we are forced to use Windows logs and either forward these or copy these. We found a very good blog describing the setup which was easy to follow here: https://zeglory.com/monitoring-dhcp-using-elk/ however, these logs are not live log entries and are some hours old. Is it possible to forward the events as described in blog natively using ELK? Or is the description in the blog the best way to monitor and audit Windows DHCP servers using ELK? Thanking you all in advance.
Furthermore, if you have any good suggestions or ideas regarding what information should be utilized for threat hunting or just in deepth monitoring as described in addition to the blog post, please guide us. The suggested views are Vertical bars, Heatmap, Pie Chart and Timelion.

I don't know Windows DHCP too well, so take this advice with that in mind.

You might be able to read the logs directly from c:\Windows\System32\dhcp using Filebeat. That will depend on what format those log files are in though.

Hi Mark, Thanks for the reply. I am posting the contents of a DHCP log file (windows based). It has a large number of contents and seems to resemble a CSV file. However, it also containts some content describing it contents.

In the blog post I see that he/she is using a Linux based machine and providing keyvalue pairs, which seems sensible with regards to efficieny over Grok filter.

. Furthermore, only relevant fields are being selected. It seems like even the logstash filter has been shared. So kudos to https://zeglory.com/monitoring-dhcp-using-elk/ for sharing the solution.
I think for now, we will stick with the solution that has been provided on the blog and then may be we can develop something similar as you are suggesting (it is possible and do able). Thanks for the reply, help and guidance. Have a nice day.

Please don't post pictures of text, they are difficult to read, impossible to search and replicate (if it's code), and some people may not be even able to see them :slight_smile:

You have a custom script that has to do a while lot of processing to get it to that though. So that's a bit of false equivalency.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.