Hi team!
I want to detect Duplication detection of IPs detected by DHCP server.
I have no Idea what to check...
Have this
Windows EventID code = 13. Possible indication of IP Spoofing
Do You have done something similar?
Firstly you do to
1. Collect data from DHCP server (sourcetype=DhcpSrvLog)
2. To do this, you can create an "app" MY_dhcp_inputs and put "copy" contents of Windows TA dhcp into this
###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = your_windows_index
This will automatically extract fields from DHCP servers.
Then do some search do logic like
index=<your_index> sourcetype=DhcpSrvLog | stats count by signature
you can learn which all signatures are important and just write use-case for it
Hi koshyk,
I installed the app Windows Addon in the DHCP server, then I copy this in te inputs.conf
###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt =
sourcetype = DhcpSrvLog
index = main
But still it doesn't work.
I recibe event from CPU, network, windows events but no from dhcp.
Please check with your Expert in DHCP, if they have logging enabled correctly.