DHCP Syslog usage in Security Analytics

    In NetFlow Analyzer’s Security Analytics, accurate IP-to-hostname mapping is critical for effective asset-based anomaly detection. This is primarily achieved using DHCP Syslogs.

    1. Why DHCP Syslog is preferred in Security Analytics
    2. Priority Sequence for IP Mapping
    3. DHCP Syslog Profile Configuration

    Why DHCP Syslog is preferred in Security Analytics

    dhcpsyslog1

    Manual mapping is static and limited to known, fixed IP devices. Active Directory is updated periodically and might not reflect real-time changes. Whereas, DHCP Syslog provides real-time, accurate data, making management of assets better.

    DHCP Syslog provides dynamic mapping of:

    IP Address ↔ MAC Address ↔ Hostname

    This mapping is crucial because IP addresses change frequently due to DHCP leasing and a single machine (asset) might use different IPs over time. Hostnames remain consistent, helping to identify the true source regardless of changing IPs. Hence, Security Analytics is asset-based, not IP-based.

    Priority Sequence for IP Mapping

    To resolve IPs to hostnames, Security Analytics uses the following priority order:

    1. Manual Mapping
      • Used for devices with static IPs
      • Always takes priority if the IP exists in this mapping
    2. DHCP Syslog (Essential for Security Analytics)
      • Dynamic mapping is preferred due to accuracy and real-time updates
    3. Active Directory
      • Pulls IP-to-username mappings directly from Active Directory servers, helping correlate network activity with specific users
    4. DHCP Server Logs
      • Parses DHCP server logs to map IP addresses to hostnames based on lease records

    DHCP Syslog Profile Configuration

    In NetFlow Analyzer, configure the DHCP Syslog profile under IP Mapping.

    How to configure DHCP Syslog profile?

    dhcpsyslog2

    To configure DHCP Syslog in NetFlow Analyzer:

    1. Go to:
      Settings → Netflow→ IP Mapping → DHCP Syslog
    2. Click on "Add Profile" and fill in the following:
      • Profile Name: A unique name for this configuration.
      • Server Type: Select the DHCP server type from the dropdown (e.g., Windows, Cisco, etc.).

      3. How to choose server type?

      • The server type should match your DHCP server's vendor or platform (e.g., Windows Server DHCP, Cisco, Linux ISC DHCP, etc.).
      • NetFlow Analyzer uses this information to correctly parse the format of incoming Syslogs.
      • If you're unsure:
        1. Check the DHCP server’s OS or product type.
        2. Refer to the DHCP server documentation.
        3. Alternatively, start with a generic option (if available) and adjust based on parsing success.

      Choosing the correct server type ensures accurate extraction of IP–MAC–Hostname details from Syslog messages.


    3. Port Number: Enter the port on which your DHCP server is exporting Syslogs.

      4. How to choose port number?

      1. The port number should match the one used by your DHCP server to export Syslogs.
      2. Most DHCP servers allow you to configure a custom port for Syslog export — commonly used ports include 514 (default).
      3. Make sure the selected port is:
        • Not already in use by another service.
        • Open and accessible between the DHCP server and NetFlow Analyzer.
      4. In NetFlow Analyzer, enter this same port number while creating the DHCP Syslog profile under IP Mapping → DHCP Syslog Configuration.

    The details of the columns of the table are given below:

    • Profile Name: Unique identifier given for the DHCP configuration.
    • Server Type: DHCP server vendor or type.
    • Port Number: Port used to receive/export Syslogs.
    • Status:
      1. Syslog received: The DHCP Syslog messages are being successfully received by NetFlow Analyzer.
      2. Syslog not received:  The profile is configured, but no DHCP Syslog messages have been received yet.
      3. Syslog stopped:  DHCP Syslog collection has stopped due to one of the following reasons,
        a. The flow was sent
        b. The configured port was changed
        c. The port is occupied by another service
        d. The background thread handling the Syslog stopped
        e. Other internal issues
      4. Log parsing initiated:  DHCP Syslog messages have been received and parsing has begun.
      5. Log parsed successfully:  The received Syslog messages were parsed without errors, and IP-to-hostname mappings were extracted successfully.
      6. Log parsing failed: Syslog messages were received, but parsing failed due to incorrect format, errors in the message structure, or unsupported log content.

    Note:The same port configured in NetFlow Analyzer must be used while exporting DHCP Syslog.

     

    Important Note:

    • DHCP Syslog mapping is mandatory and cannot be disabled when Security Analytics is enabled.
    • DHCP Syslog cannot be turned off under Basic Settings → IP Resolution as well.
    • Ensure that the DHCP Syslog profile is properly configured and that logs are being exported to the same port as specified in the profile.

    Thank you for your feedback!

    Was this content helpful?

    We are sorry. Help us improve this page.

    How can we improve this page?
    Do you need assistance with this topic?
    By clicking "Submit", you agree to processing of personal data according to the Privacy Policy.