Accenture MDR Quick Start Guide for Microsoft® DHCP (TCP)

Owned by KM (Unlicensed)
Last updated: Jul 19, 2022
4 min read

This quick start guide will help Accenture MDR customers configure Microsoft® DHCP server to send logs to the Log collection Platform (LCP).

This document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in

Accenture MDR Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents

Port Requirements

Table 1-1: Port requirements for LCP communication.

           Source

       Destination

           Port

       Description

Microsoft DHCP server

LCP

10014 (TCP with TLS) or

10013 (TCP with Non-TLS)

Default port

Configuring Microsoft DHCP

To configure Microsoft DHCP, follow the steps below.

Note: Microsoft DHCP collector for Accenture supports only Regional [English United States] M/d/yyyy h:mm:ss date format which is recommended format by Windows. So, make sure device date format is set to [English United States] M/d/yyyy h:mm:ss before configuring device for log collection.

  1. Enable Audit Logging.

2. Configure DHCP in Windows Versions

3. Configure Windows NXlog Agent.

 

I. To enable Audit logging, 

  1. From the Start Menu, go to Program Files > Administrative Tools > DHCP.

2. In the DHCP window, right-click the current DHCP server, and then click Properties.

3. On the General tab, ensure DHCP logging is enabled.

 

II. Configure DHCP in Windows Versions

Based on the operating system version, you can configure DHCP in three ways.

  • Windows 2003 64-bit

  • Windows 2008 64-bit

  • Windows 2012 64-bit

 

Configure Microsoft DHCP to work with Windows 2003 64-bit

Note: Use the linked tool from the Windows Resource Kit to create a link to the %WINDIR%\system32\dhcp directory. The following command creates a c:\dhcplogs directory which is a symbolic link to the c:\WINDOWS\system32\dhcp directory.

  1. Go to Start Command Prompt.

  2. Enter the command: linkd c:\dhcplogs c:\WINDOWS\system32\dhcp

 Note: Configure Microsoft DHCP Event Collector to read logs from the link that was already created. See http://technet.microsoft.com/en-us/library/cc787068(v=ws.10).aspx for more details.

 

​Configure Microsoft DHCP to work with Windows 2008 64-bit

 Note: Use the built-in mklink command to create a link to the %WINDIR%\system32\dhcp directory. The following command creates a c:\dhcplogs directory which is a symbolic link to the c:\WINDOWS\system32\dhcp directory:

  1. Go to Start Command Prompt.

  2. Enter the command: mklink /d C:\dhcplogs c:\windows\system32\dhcp

 Note: Configure Microsoft DHCP Event Collector to read logs from the link that was already created. See http://technet.microsoft.com/en-us/library/cc755282.aspx for more details.

 

Configure Microsoft DHCP to work with Windows 2012 64-bit

To enable DHCP server logging, do the following:

  1. Open DHCP Microsoft Management Console (MMC) snap-in.

  2. In the console tree view, click the DHCP server you want to configure.

  3. From the Action menu, click Properties.

  4. On the General tab, select Enable DHCP audit logging, and click OK.

  5. On the Advanced tab, keep the default Audit log file path, or click Browse and select a new path.

 Note: Configure Microsoft DHCP Event Collector to read logs from the link that was already created. See http://technet.microsoft.com/library/hh831825 for more details.

 

​III. Configure Windows NXlog Agent.

You can configure the Windows NXlog Agent with TLS or Non-TLS TCP port using the below ways:

  • Windows NxLog Agent for Non-TLS TCP

  • Windows NxLog Agent for TLS TCP

 

Steps to configure Windows NxLog Agent for Non-TLS TCP Log flow on port 10013

  1. Download and Install NxLog agent from https://nxlog.co/products/nxlog-community-edition/download

  2. Go to services.msc and stop the nxlog service.

  3. Go to folder C:\Program Files (x86)\nxlog\data and delete configcache.dat.

  4. For Windows Agent, go to the installed location C:\Program Files (x86)\nxlog\conf 

  5. Copy the below Windows DHCP (Non - TLS) steps to nxlog.conf file attached.

6. Replace LCP_IP_Address with the actual LCP IP address in nxlog.conf.

7. Change access.log file location against File

8. Now start the nxlog service from services.msc.

9. NxLog agent logs will be available at the location C:\Program Files (x86)\nxlog\data\nxlog.log.

 

Steps to configure Windows NxLog Agent for TLS TCP Log flow on port 10014

  1. Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download

  2. Go to services.msc and stop the nxlog service.

 Note: Please contact the Accenture MDR onboarding team to obtain the certificate.

3. Place the certificate in the DHCP server which is obtained from the MDR onboarding team at your desired location.

4. Go to folder C:\Program Files (x86)\nxlog\data and delete configcache.dat.

5. For Windows Agent, go to the installed location C:\Program Files (x86)\nxlog\conf 

6. Copy the below Windows DHCP (TLS) steps to nxlog.conf file attached.

7. Replace LCP_IP_Address with the actual LCP IP address in nxlog.conf.

8. Change access.log file location against File

9. Provide the file location for the CA certificate on the DHCP server

10. Now start the nxlog service from services.msc.

11. Nxlog agent logs will be available at the location C:\Program Files (x86)\nxlog\data\nxlog.log.

LCP Configuration Parameters

Table 1-2: The Microsoft DHCP TCP event collector(Syslog-3884) properties to be configured by MDR are given in the table.

Property

Default Value

Description

      Protocol       

TCP

 The default protocol for syslog.

IP Address

Microsoft DHCP Interface IP address.

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the Accenture MDR onboarding team.

Port Number

TCP/10013

or

TCP/10014

The default port number for syslog. 

Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture MDR onboarding team if this is a requirement

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.