DHCP Syslog usage in Security Analytics

    In NetFlow Analyzer’s Security Analytics, accurate IP-to-hostname mapping is critical for effective asset-based anomaly detection. This is primarily achieved using DHCP Syslogs.

    1. Why DHCP Syslog is preferred in Security Analytics
    2. Priority Sequence for IP Mapping
    3. How to configure DHCP Syslog profile
    4. How to configure Syslog forwarding based on server type

    Why DHCP Syslog is preferred in Security Analytics

    dhcpsyslog1

    Manual mapping is static and limited to known, fixed IP devices. Active Directory is updated periodically and might not reflect real-time changes. Whereas, DHCP Syslog provides real-time, accurate data, making management of assets better.

    DHCP Syslog provides dynamic mapping of:

    IP Address ↔ MAC Address ↔ Hostname

    This mapping is crucial because IP addresses change frequently due to DHCP leasing and a single machine (asset) might use different IPs over time. Hostnames remain consistent, helping to identify the true source regardless of changing IPs. Hence, Security Analytics is asset-based, not IP-based.

    Priority Sequence for IP Mapping

    To resolve IPs to hostnames, Security Analytics uses the following priority order:

    1. Manual Mapping
      • Used for devices with static IPs
      • Always takes priority if the IP exists in this mapping
    2. DHCP Syslog (Essential for Security Analytics)
      • Dynamic mapping is preferred due to accuracy and real-time updates
    3. Active Directory
      • Pulls IP-to-username mappings directly from Active Directory servers, helping correlate network activity with specific users
    4. DHCP Server Logs
      • Parses DHCP server logs to map IP addresses to hostnames based on lease records

    How to configure DHCP Syslog profile

    In NetFlow Analyzer, configure the DHCP Syslog profile under IP Mapping.

    How to configure DHCP Syslog profile?

    dhcpsyslog2

    To configure DHCP Syslog in NetFlow Analyzer:

    1. Go to:
      Settings → Netflow→ IP Mapping → DHCP Syslog
    2. Click on "Add Profile" and fill in the following:
      • Profile Name: A unique name for this configuration.
      • Server Type: Select the DHCP server type from the dropdown (e.g., Windows, Cisco, etc.).

      3. How to choose server type?

      • The server type should match your DHCP server's vendor or platform (e.g., Windows Server DHCP, Cisco, Linux ISC DHCP, etc.).
      • NetFlow Analyzer uses this information to correctly parse the format of incoming Syslogs.
      • If you're unsure:
        1. Check the DHCP server’s OS or product type.
        2. Refer to the DHCP server documentation.
        3. Alternatively, start with a generic option (if available) and adjust based on parsing success.

      Choosing the correct server type ensures accurate extraction of IP–MAC–Hostname details from Syslog messages.


    3. Port Number: Enter the port on which your DHCP server is exporting Syslogs.

      4. How to choose port number?

      1. The port number should match the one used by your DHCP server to export Syslogs.
      2. Most DHCP servers allow you to configure a custom port for Syslog export — commonly used ports include 514 (default).
      3. Make sure the selected port is:
        • Not already in use by another service.
        • Open and accessible between the DHCP server and NetFlow Analyzer.
      4. In NetFlow Analyzer, enter this same port number while creating the DHCP Syslog profile under IP Mapping → DHCP Syslog Configuration.

    The details of the columns of the table are given below:

    • Profile Name: Unique identifier given for the DHCP configuration.
    • Server Type: DHCP server vendor or type.
    • Port Number: Port used to receive/export Syslogs.
    • Status:
      1. Syslog received: The DHCP Syslog messages are being successfully received by NetFlow Analyzer.
      2. Syslog not received:  The profile is configured, but no DHCP Syslog messages have been received yet.
      3. Syslog stopped:  DHCP Syslog collection has stopped due to one of the following reasons,
        a. The flow was sent
        b. The configured port was changed
        c. The port is occupied by another service
        d. The background thread handling the Syslog stopped
        e. Other internal issues
      4. Log parsing initiated:  DHCP Syslog messages have been received and parsing has begun.
      5. Log parsed successfully:  The received Syslog messages were parsed without errors, and IP-to-hostname mappings were extracted successfully.
      6. Log parsing failed: Syslog messages were received, but parsing failed due to incorrect format, errors in the message structure, or unsupported log content.

    Note:The same port configured in NetFlow Analyzer must be used while exporting DHCP Syslog.

     

    How to configure Syslog forwarding based on server type

    Following are the steps to configure syslog forwarding based on your DHCP server type.

    Supported DHCP server types include,

    1. Linux
    2. Windows
    3. Palo Alto
    4. ISC
    5. Kea
    6. Cisco Prime

    1. Forwarding DHCP Logs from a Linux DHCP Server

    • DHCP daemon (dhcpd) generates logs using syslog facilities
    • Logs are handed over to rsyslog on the local server
    • rsyslog forwards selected logs to a remote log server over UDP

    (In this setup, we use the local7 syslog facility for DHCP logs)

    Step 1: Configure DHCP to Use local7 Facility

    Edit the DHCP configuration file:
    /etc/dhcp/dhcpd.conf
    Add or update the following line:
    log-facility local7;
    •log-facility local7 instructs dhcpd to send all DHCP-related logs to the local7 syslog facility
    •This allows easy separation of DHCP logs from other system logs

    Step 2: Configure rsyslog to Forward DHCP Logs

    Edit the rsyslog configuration file:
    /etc/rsyslog.conf
    (or create a dedicated file under /etc/rsyslog.d/, e.g. dhcp-forward.conf)
    Add the following entry:
    local7.* @10.XX.XX.XX:1540
    •local7.* captures all log levels from the local7 facility
    •"@" indicates UDP transport (@@ would indicate TCP)
    •10.XX.XX.XX:1540 is a remote log server IP and UDP port

    Step 3: (Optional but recommended) Store DHCP Logs Locally

    To keep a local copy of DHCP logs, add:
    local7.* /var/log/dhcpd.log
    Then create the log file and set permissions:
    touch /var/log/dhcpd.log
    chmod 644 /var/log/dhcpd.log

    Step 4: Restart Services

    Restart the required services for changes to take effect:
    systemctl restart rsyslog
    systemctl restart dhcpd
    Step 5: Verify Log Forwarding Check local DHCP logs
    tail -f /var/log/dhcpd.log
    Check rsyslog status
    systemctl status rsyslog
    Verify on Central Log Server
    •Confirm logs are received on UDP port 1540
    •Ensure firewall rules allow UDP traffic on this port
    Firewall Considerations
    Ensure outbound UDP traffic is allowed from the DHCP server:
    UDP 1540 → 10.XX.X.XX
    If firewall is enabled:
    firewall-cmd --add-port=1540/udp --permanent
    firewall-cmd --reload

    2. Forwarding DHCP logs from a Windows DHCP server

    Windows DHCP servers do not natively support sending logs using the syslog protocol. To forward DHCP logs, you must use a third-party syslog forwarding agent. Once it is installed and configured, DHCP logs can be forwarded to NetFlow Analyzer over UDP for IP to hostname correlation and security analysis.

    For detailed configuration instructions, and sample third-party NXLog configurations check: https://docs.nxlog.co/integrate/windows-dhcp-server.html

    3. Forwarding DHCP logs from a Palo Alto DHCP server

    To forward DHCP server logs, from a Palo Alto firewall configured as a DHCP server, you must enable and configure syslog forwarding on the device. Once enabled, the firewall can transmit these logs over UDP to NetFlow Analyzer for further analysis and monitoring.

    For step-by-step instructions on forwarding system logs to a syslog server, check this page: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClM9CAK

    4. Forwarding DHCP logs from an ISC DHCP server

    To forward DHCP logs from an ISC DHCP (dhcpd) server via UDP, configure a log collection agent to capture DHCP-server messages from the local syslog service and transmit them to a syslog server.

    For detailed configuration examples and sample nxlog.conf segment, refer to the official NXLog guide: https://docs.nxlog.co/integrate/dhcpd.html

    5. Forwarding DHCP logs from an ISC Kea DHCP server

    To forward DHCP logs from an ISC Kea DHCP server over UDP, you must first configure Kea’s built-in logging settings to write DHCP events to either the system log or a log file.

    For detailed instructions on configuring logging within Kea, refer: https://kb.isc.org/docs/kea-logging-configuration

    6. Forwarding DHCP Logs from a Cisco Prime DHCP server

    The DHCP server component of Cisco Prime Network Registrar (CPNR) generates logs for DHCP operations such as IP address assignments, renewals, releases, and lease expirations.

    To forward these logs over UDP to a centralized syslog server, you must configure:

    • DHCP logging within CPNR
    • Remote syslog forwarding settings

    For detailed, step-by-step configuration instructions, refer to the official Cisco documentation: https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/network_registrar/11-2/dhcp/guide/DHCP_Guide/DHCP_Guide_chapter_01.html#con_1049660

    Important Note:

    • DHCP Syslog mapping is mandatory and cannot be disabled when Security Analytics is enabled.
    • DHCP Syslog cannot be turned off under Basic Settings → IP Resolution as well.
    • Ensure that the DHCP Syslog profile is properly configured and that logs are being exported to the same port as specified in the profile.

     

    Thank you for your feedback!

    Was this content helpful?

    We are sorry. Help us improve this page.

    How can we improve this page?
    Do you need assistance with this topic?
    By clicking "Submit", you agree to processing of personal data according to the Privacy Policy.