Accenture MDR Quick Start Guide for Microsoft® DHCP (TCP)
This quick start guide will help Accenture MDR customers configure Microsoft® DHCP server to send logs to the Log collection Platform (LCP).
This document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in
Accenture MDR Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
Microsoft DHCP server | LCP | 10014 (TCP with TLS) or 10013 (TCP with Non-TLS) | Default port |
Configuring Microsoft DHCP
To configure Microsoft DHCP, follow the steps below.
Note: Microsoft DHCP collector for Accenture supports only Regional [English United States] M/d/yyyy h:mm:ss date format which is recommended format by Windows. So, make sure device date format is set to [English United States] M/d/yyyy h:mm:ss before configuring device for log collection.
Enable Audit Logging.
2. Configure DHCP in Windows Versions
3. Configure Windows NXlog Agent.
I. To enable Audit logging,
From the Start Menu, go to Program Files > Administrative Tools > DHCP.
2. In the DHCP window, right-click the current DHCP server, and then click Properties.
3. On the General tab, ensure DHCP logging is enabled.
II. Configure DHCP in Windows Versions
Based on the operating system version, you can configure DHCP in three ways.
Windows 2003 64-bit
Windows 2008 64-bit
Windows 2012 64-bit
Configure Microsoft DHCP to work with Windows 2003 64-bit
Note: Use the linked tool from the Windows Resource Kit to create a link to the %WINDIR%\system32\dhcp directory. The following command creates a c:\dhcplogs directory which is a symbolic link to the c:\WINDOWS\system32\dhcp directory.
Go to Start > Command Prompt.
Enter the command: linkd c:\dhcplogs c:\WINDOWS\system32\dhcp
Note: Configure Microsoft DHCP Event Collector to read logs from the link that was already created. See http://technet.microsoft.com/en-us/library/cc787068(v=ws.10).aspx for more details.
Configure Microsoft DHCP to work with Windows 2008 64-bit
Note: Use the built-in mklink command to create a link to the %WINDIR%\system32\dhcp directory. The following command creates a c:\dhcplogs directory which is a symbolic link to the c:\WINDOWS\system32\dhcp directory:
Go to Start > Command Prompt.
Enter the command: mklink /d C:\dhcplogs c:\windows\system32\dhcp
Note: Configure Microsoft DHCP Event Collector to read logs from the link that was already created. See http://technet.microsoft.com/en-us/library/cc755282.aspx for more details.
Configure Microsoft DHCP to work with Windows 2012 64-bit
To enable DHCP server logging, do the following:
Open DHCP Microsoft Management Console (MMC) snap-in.
In the console tree view, click the DHCP server you want to configure.
From the Action menu, click Properties.
On the General tab, select Enable DHCP audit logging, and click OK.
On the Advanced tab, keep the default Audit log file path, or click Browse and select a new path.
Note: Configure Microsoft DHCP Event Collector to read logs from the link that was already created. See http://technet.microsoft.com/library/hh831825 for more details.
III. Configure Windows NXlog Agent.
You can configure the Windows NXlog Agent with TLS or Non-TLS TCP port using the below ways:
Windows NxLog Agent for Non-TLS TCP
Windows NxLog Agent for TLS TCP
Steps to configure Windows NxLog Agent for Non-TLS TCP Log flow on port 10013
Download and Install NxLog agent from https://nxlog.co/products/nxlog-community-edition/download
Go to services.msc and stop the nxlog service.
Go to folder C:\Program Files (x86)\nxlog\data and delete configcache.dat.
For Windows Agent, go to the installed location C:\Program Files (x86)\nxlog\conf
Copy the below Windows DHCP (Non - TLS) steps to nxlog.conf file attached.
6. Replace LCP_IP_Address with the actual LCP IP address in nxlog.conf.
7. Change access.log file location against File
8. Now start the nxlog service from services.msc.
9. NxLog agent logs will be available at the location C:\Program Files (x86)\nxlog\data\nxlog.log.
Steps to configure Windows NxLog Agent for TLS TCP Log flow on port 10014
Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download
Go to services.msc and stop the nxlog service.
Note: Please contact the Accenture MDR onboarding team to obtain the certificate.
3. Place the certificate in the DHCP server which is obtained from the MDR onboarding team at your desired location.
4. Go to folder C:\Program Files (x86)\nxlog\data and delete configcache.dat.
5. For Windows Agent, go to the installed location C:\Program Files (x86)\nxlog\conf
6. Copy the below Windows DHCP (TLS) steps to nxlog.conf file attached.
7. Replace LCP_IP_Address with the actual LCP IP address in nxlog.conf.
8. Change access.log file location against File
9. Provide the file location for the CA certificate on the DHCP server
10. Now start the nxlog service from services.msc.
11. Nxlog agent logs will be available at the location C:\Program Files (x86)\nxlog\data\nxlog.log.
LCP Configuration Parameters
Table 1-2: The Microsoft DHCP TCP event collector(Syslog-3884) properties to be configured by MDR are given in the table.
Property | Default Value | Description |
Protocol | TCP | The default protocol for syslog. |
IP Address | Microsoft DHCP Interface IP address. | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture MDR onboarding team. |
Port Number | TCP/10013 or TCP/10014 | The default port number for syslog. Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture MDR onboarding team if this is a requirement |
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.