Highlighted
jr.dc3 Absent Member.
Absent Member.
997 views

Add DHCP logs to existing SmartConnector

Jump to solution

When we install the ArcSight smartConnector we only get the option to install one type of connector. We need the System, Application and Security logs from the Windows 2008 R2 server, but we also need the DHCP logs. How do we add this additional log type for DHCP logs?

Labels (1)
0 Likes
1 Solution

Accepted Solutions
markt Absent Member.
Absent Member.

Re: Add DHCP logs to existing SmartConnector

Jump to solution

Install the Connector in another directory from the orginal install. Then select the Microsoft DHCP log option, and point the connector to where the DHCP logs are stored.

0 Likes
9 Replies
markt Absent Member.
Absent Member.

Re: Add DHCP logs to existing SmartConnector

Jump to solution

There is a SmartConnector specific for MS DHCP logs that you will have to install on the DHCP server.

0 Likes
jr.dc3 Absent Member.
Absent Member.

Re: Add DHCP logs to existing SmartConnector

Jump to solution

So I run the install again and add another type somehow?

0 Likes
jr.dc3 Absent Member.
Absent Member.

Re: Add DHCP logs to existing SmartConnector

Jump to solution

So I tried to rerun the install and it sees the existing install and just offers to upgrade it. There doesn't seem to be a way to install the DHCP piece once the system logs are getting captured. Can you only capture one type of log? Or should I be installing it into a different directory for the DHCP logs?

0 Likes
markt Absent Member.
Absent Member.

Re: Add DHCP logs to existing SmartConnector

Jump to solution

Install the Connector in another directory from the orginal install. Then select the Microsoft DHCP log option, and point the connector to where the DHCP logs are stored.

0 Likes
jr.dc3 Absent Member.
Absent Member.

Re: Add DHCP logs to existing SmartConnector

Jump to solution

So I tried this and I was able to install the SmartConnector a second time by changing the directory. One issue with this is that you only see the last installation in the list of installed software. I didn't think this was right, so I uninstalled the second installation and reinstalled the first installation. As I was submitting a ticket to HP support on this issue, the submission process provided a KB article that says exactly what you are saying (KM1262490). I really hate this answer, but it appears to be the answer. When you have several instances on the same box it is going to be pretty confusing, but that is just the way it is...

I need to find an ArchSight location to request a product enhancement. This seems like a terrible way to do this... That said, I got my answer...

0 Likes
StevenD Honored Contributor.
Honored Contributor.

Re: Add DHCP logs to existing SmartConnector

Jump to solution

Here is a question for you, which DHCP logs are you trying to get at? The audit level logs in the windows event log or the network connection logs(release/renew etc) logs? The reason I ask is because in our environment i'm running connectors for both, 1 for the actual DHCP activity for device tracking purposes and 1 connector to monitor the audit level events on the server(DHCP scope adds/changes/deletes etc)

For the latter I used a Windows Unified Connector but I had to build a custom categorizer, added a custom log target in the properties of the connector as well as adding a custom registry entry on the server itself.

I can share the WUC connector modifications if you'd like.

Thanks

0 Likes
jr.dc3 Absent Member.
Absent Member.

Re: Add DHCP logs to existing SmartConnector

Jump to solution

We are looking for the c:\windows\system32\dhcp\ directory. There is one for each day of the week. We only need the IPv4 version. I got the agent installed, but the logs are still not flowing... I have opened a case with HP. I doubt I will hear from the today...

0 Likes
jr.dc3 Absent Member.
Absent Member.

Re: Add DHCP logs to existing SmartConnector

Jump to solution

What is the difference between the SmartConnector and the Unified connector?

0 Likes
StevenD Honored Contributor.
Honored Contributor.

Re: Add DHCP logs to existing SmartConnector

Jump to solution

     Interesting, we had a similar problem from our DHCP collector which required me to walk through the connector setup again and re-verify the log file target folder. Not sure if it's a related to your issue or not... However I'm running a script to remotely copy the daily DHCP files to my local connector server at a regular interval, reason being was that initially I experienced the same issue as you. The connector wouldn't read the log files on the remote host, copying them local seemed to fix the issue.

Are you running the connector agent on the DHCP server itself or using it to remotely pull the log files?

PS: Difference between the Smart Connector and the WUC connector is in which log files it captures. The smart connector grabs information related to the DHCP network functions, IE Leases, Renewal, Releases, etc. The WUC pulls down the system changes on the Windows side that are not populated in the System32\DHCP log files. Those would be changes made by admins, such as adding/changing a scope, removing a scope, etc.... We mainly use the WUC connector for alerts when new network scopes are added, that way we can keep our zone information up to date within ArcSight.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.