Dynamic Host Configuration Protocol |
The Windows 2000 DHCP service includes several new logging features and server parameters that provide enhanced auditing capabilities.
The audit logging behavior discussed in this section applies only to the DHCP service provided with Windows 2000 Server. It replaces the previous DHCP logging behavior used in earlier versions of Windows NT Server, which do not perform audit checks and use only a single log file named Dhcpsrv.log for logging service events.
The formatted structure of DHCP service logs and the level of reporting maintained for audited logging are the same as in earlier versions of the Windows DHCP service. For more information on the structure of the logs, you can review the header section of each log in a text-editing program such as Notepad.
You can now specify the following features:
Through the DHCP Properties dialog boxes, you can specify:
See the online documentation for procedural information about specifying these parameters.
The name of the audit log file is based on the current day of the week, as determined by the server's current date and time.
then the server's audit log file is named DhcpSrvLog.Sat.
When the DHCP server starts or whenever a new day of the week occurs (when local time on the computer is 12:00 A.M.), the server writes a header message in the audit log file, indicating that logging started. Depending on whether the audit log file is a new or existing file, the following actions occur next:
After audit logging starts, the DHCP server performs disk checks at regular intervals to ensure the ongoing availability of server disk space and that the current audit log file does not become too large or that log-file growth is not occurring too rapidly.
The DHCP server performs a full disk check whenever either of the following conditions occurs:
The interval that is used to determine the frequency of periodic disk checks is set for n number of logged events, where n is specified by the value of the registry entry DhcpLogDiskSpaceCheckInterval.
Each time a disk check is completed, the DHCP service checks to see if the server disk space is full. The disk is considered full if either of the following conditions is true:
If the disk is full, the DHCP server closes the current file and ignores further requests to log audit events until either 12:00 A.M. or until disk status is improved and the disk is no longer full.
Even if audit log events are ignored because of a full-disk condition, the DHCP server continues checking every n number of attempted log events to see if disk conditions on the server computer have improved. The number is set in the DhcpLogDiskSpaceCheckInterval entry. If subsequent disk checks determine that the required amount of server disk space is available, the DHCP service reopens the current day's log file and resumes logging.
At 12:00 A.M. local time on the server computer, the DHCP server closes the existing log and moves to the log file for the next day of the week. For example, if the day of the week changes at 12:00 A.M. from Wednesday to Thursday, the log file named DhcpSrvLog.wed is closed and the file named DhcpSrvLog.thu is opened and used for logging events.