Access Denied: Configuring DHCP Server Logs
If your logs are too small, you'll have holes in your logging coverage.
April 18, 2004
While tracking down some suspicious activity in our logs, we noticed that our daily DHCP server logs have holes, apparently because the server stopped logging events. In each case, the server resumed logging at midnight with the next day's log. The only pattern we observed for the holes is that they occurred on busy days when DHCP activity was highest. Is the logging process hanging for some reason on busier days, then restarting at midnight?
Windows Server 2003's and Windows 2000 Server's DHCP servers have built-in logic for controlling how much disk space the daily DHCP server logs consume. If a given day's activity exceeds the configured threshold, Windows stops logging DHCP events until either more disk space is available or the next day starts.
Windows lets you configure two thresholds for controlling event-log size. First, you can configure a maximum number of megabytes for all DHCP server audit logs combined. This threshold defaults to 7MB, and Windows restricts each day's log to one-seventh of the maximum space allowed for DHCP server audit logs. Thus, by default, each day's log can grow to a maximum of 1MB. Windows automatically overwrites week-old audit logs, so you retain only 1 week's activity.
Second, Windows lets you configure a minimum amount of space that must be preserved on the disk on which you store your audit logs. The default minimum is 20MB. If free space on the disk drops below the minimum threshold, Windows stops logging. DHCP starts logging again when disk conditions permit.
You can reconfigure the DHCP event log thresholds by using REG_DWORD values in the DHCP server's registry under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDhcpServerParameters registry subkey. The DhcpLogMinSpaceOnDisk subkey specifies the minimum amount of space that must be preserved on the disk that contains your audit logs. Specify this value in megabytes—for example, if you want to stop DHCP logging when disk free space falls below 80MB, simply set the value to 80. The registry value that's more important to resolve your problem is DhcpLogFilesMaxSize. If this value is absent from the registry, Windows defaults to a value of 7, which gives you only 1MB for each day's log. Configure this value large enough to accommodate a full week's activity. If you want to keep more than 1 week's activity on hand, you'll need to copy each day's audit log file before Windows overwrites it the next week.
About the Author
You May Also Like