SIEM DHCP-DNS and more Integration

DHCP Server

By default, the maximum log file size of the Windows DHCP server is 70 MB. When the log file reaches 70 MB, new events will stop being added to the log file. From 00.00 AM, it will start writing new logs to the next day.
As ipV4 and ipV6, the log files are stored separately in 10MB and the sum of day+mb equals= 70MB. Default log path: "C:\Windows\System32\dhcp"

Logs can be activated both via Default and Event viewer.

#Registry Editor:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters"

"DhcpLogFilesMaxSize"
"Decimal"
"700"

> PS\.
> Get-DhcpServerAuditLog

Path              : C:\Windows\system32\dhcp
Enable            : True
MaxMBFileSize     : 700
DiskCheckInterval : 50
MinMBDiskSpace    : 20

> Restart-Service DHCPServer

DNS Server

By default, Debug logging can be enabled both via Debug logging and via the Event viewer.
Debug logging is also used for debugging.
Microsoft says that by default the max log file can reach a size of about 4.2 GB [4294967295 byte] The size is calculated in [bytes]. Default log path: "C:\Windows\System32\dns"

#Registry Editor:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

"LogFileMaxSize"
"Decimal"
"4294967295"

> PS\.
> 4GB / 1 #gb to byte
> Get-DNSServerDiagnostics
> Restart-Service -Name "DNS"

Click OK again to enable the DNS Server Analytic event log. By default, analytic logs are written to the file: "%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl"

You can also enable Log file rotation for SIEM. https://www.google.com/search?q=dns+server+enable+Log+file+rotation

and more

Written by theguler with love in Turkey 💖