NXLog Legacy Documentation

Windows DHCP client

Windows DHCP client logs are written to Windows Event Log. There are two logs for IPv4 and two for IPv6. To enable the required logs, open Event Viewer (eventvwr) and check the logs under Applications and Services Logs > Microsoft > Windows > Dhcp-Client and Applications and Services Logs > Microsoft > Windows > DHCPv6-Client. To enable a log, right-click on it and click Enable Log.

Enabling DHCP client logs in Windows Event Log

Alternatively, the following PowerShell script will check all four logs, enabling if necessary.

$LogNames = @("Microsoft-Windows-Dhcp-Client/Admin",
              "Microsoft-Windows-Dhcp-Client/Operational",
              "Microsoft-Windows-Dhcpv6-Client/Admin",
              "Microsoft-Windows-Dhcpv6-Client/Operational")
ForEach ($LogName in $LogNames) {
    $EventLog = Get-WinEvent -ListLog $LogName
    if ($EventLog.IsEnabled) {
        Write-Host "Already enabled: $LogName"
    }
    else {
        Write-Host "Enabling: $LogName"
        $EventLog.IsEnabled = $true
        $EventLog.SaveChanges()
    }
}
Example 1. Collecting Windows DHCP client logs with NXLog

This configuration collects events from the IPv4 and IPv6 Admin and Operational DHCP client logs using the im_msvistalog module.

nxlog.conf
<Input dhcp_client_eventlog>
    Module    im_msvistalog
    <QueryXML>
      <QueryList>
        <Query Id="0">
          <Select Path="Microsoft-Windows-Dhcp-Client/Admin">*</Select>
          <Select Path="Microsoft-Windows-Dhcp-Client/Operational">*</Select>
          <Select Path="Microsoft-Windows-Dhcpv6-Client/Admin">*</Select>
          <Select Path="Microsoft-Windows-Dhcpv6-Client/Operational">*</Select>
        </Query>
      </QueryList>
    </QueryXML>
</Input>
Output sample in JSON format
{
  "EventTime":"2022-11-14T18:46:19.266713+03:00",
  "Hostname":"DESKTOP-PC",
  "Keywords":"9223372036854775808",
  "LevelValue":4,
  "EventType":"INFO",
  "SeverityValue":2,
  "Severity":"INFO",
  "EventID":50091,
  "SourceName":"Microsoft-Windows-Dhcp-Client",
  "ProviderGuid":"{15A7A4F8-0072-4EAB-ABAD-F98A4D666AED}",
  "Version":0,
  "TaskValue":7,
  "OpcodeValue":114,
  "RecordNumber":411,
  "ExecutionProcessID":2692,
  "ExecutionThreadID":6968,
  "Channel":"Microsoft-Windows-Dhcp-Client/Operational",
  "Domain":"NT AUTHORITY",
  "AccountName":"LOCAL SERVICE",
  "UserID":"S-1-5-19",
  "AccountType":"Well Known Group",
  "Message":"Parameter request received on interface with LUID 0x6008004000000. Attempting to acquire the interface context.",
  "Category":"Network Parameter State Event",
  "Opcode":"ParamRequest",
  "Level":"Information",
  "InterfaceLUID":"0x6008004000000",
  "ClassIDSize":"0",
  "StandardOptListSize":"1",
  "StandardOptList":"FC",
  "VendorOptListSize":"0",
  "EventReceivedTime":"2022-11-14T18:46:20.795889+03:00",
  "SourceModuleName":"dhcp_client_eventlog",
  "SourceModuleType":"im_msvistalog"
}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

NXLog version 5.6.7727
Windows Server 2019
Windows Server 2022

Last revision: 14 November 2022