Microsoft Windows DHCP 데이터 수집

다음에서 지원:

이 문서:

  • 배포 아키텍처와 설치 단계 및 Microsoft Windows DHCP 이벤트용 Google Security Operations 파서에서 지원하는 로그를 생성하는 데 필요한 구성을 설명합니다. Google Security Operations 데이터 수집에 대한 개요는 Google Security Operations에 데이터 수집을 참조하세요.
  • 파서에서 원래 로그의 필드를 Google Security Operations 통합 데이터 모델 필드에 매핑하는 방식에 대한 정보가 포함됩니다.

이 문서의 정보는 WINDOWS_DHCP 수집 라벨이 있는 파서에 적용됩니다. 수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다.

시작하기 전에

이 다이어그램에서는 Microsoft Windows DHCP 이벤트를 수집하여 Google Security Operations로 전송하는 배포 아키텍처에서 권장되는 기본 구성요소를 나타냅니다. 이 정보를 사용 중인 환경과 비교하여 이러한 구성요소가 설치되어 있는지 확인합니다. 각 고객 배포는 이 표현과 다르며 더 복잡할 수 있습니다. 다음은 필수 항목입니다.

  • DHCP 서버 역할이 있는 Microsoft Windows 서버
  • UTC 시간대로 구성된 모든 시스템
  • NXLog는 클러스터링된 Microsoft Windows 서버에 설치되어 운영, 관리자, 필터 알림 채널에 대한 로그를 수집하고 전달합니다.
  • Google Security Operations 전달자는 중앙 Microsoft Windows 또는 Linux 서버에 설치됩니다.

    배포 아키텍처

지원되는 기기 및 버전 검토

Google Security Operations 파서는 다음 Microsoft Windows Server 버전과 프로토콜에서 생성된 로그를 지원합니다. Microsoft Windows Server는 Foundation, Essentials, Standard, Datacenter 버전으로 출시됩니다. 각 버전에서 생성된 로그의 이벤트 스키마는 다르지 않습니다.

서버 버전 프로토콜 지원
Microsoft Windows Server 2019 DHCPv4
Microsoft Windows Server 2016 DHCPv4
Microsoft Windows Server 2012 DHCPv4

Google Security Operations 파서는 NXLog Enterprise Edition 또는 Community Edition에서 수집한 로그를 지원합니다.

지원되는 로그 유형 검토

Google Security Operations 파서는 Microsoft Windows DHCP 서버에서 생성된 다음 로그 유형을 지원합니다. 이러한 로그 유형에 대한 자세한 내용은 Microsoft Windows DHCP 서버 문서를 참조하세요. 영어 텍스트로 생성된 로그를 지원하며 영어가 아닌 언어로 생성된 로그에서는 지원되지 않습니다.

유형 데이터 형식 설명
감사 로깅 CSV 시작 및 종료, 임대 활동 포함
운영 이벤트 Microsoft Windows 이벤트 형식 DHCP 구성 로깅을 제공합니다.
관리자 이벤트 Microsoft Windows 이벤트 형식 DHCP 서버 관리 이벤트 로깅을 제공합니다.
알림 이벤트 필터링 Microsoft Windows 이벤트 형식 DHCP 서버 링크 레이어 기반 필터링 이벤트 로깅을 제공합니다.

BindPlane 에이전트 구성

BindPlane 에이전트를 사용하여 Windows DHCP 로그를 수집합니다. 설치 후 BindPlane Agent 서비스가 Windows 서비스 목록에 observerIQ 서비스로 표시됩니다.

  1. Windows DHCP 서버를 설치하고 구성합니다. Windows DHCP 서버 설치에 대한 자세한 내용은 동적 호스트 구성 프로토콜(DHCP) 개요를 참조하세요.

  2. Windows 서버에서 실행 중인 수집기에 BindPlane 에이전트를 설치합니다. BindPlane 에이전트 설치에 대한 자세한 내용은 BindPlane 에이전트 설치 안내를 참조하세요.

  3. 다음 콘텐츠로 BindPlane 에이전트의 구성 파일을 만듭니다.

    receivers:
      dhcplog/dhcp_server_operational:
        channel: Microsoft-Windows-Dhcp-Server/Operational
      dhcplog/dhcp_server_notification:
        channel: Microsoft-Windows-Dhcp-Server/FilterNotifications
    processors:
      batch:
    
    exporters:
      chronicle/dhcp:
        endpoint: https://malachiteingestion-pa.googleapis.com
        creds: '{
        "type": "service_account",
        "project_id": "malachite-projectname",
        "private_key_id": `PRIVATE_KEY_ID`,
        "private_key": `PRIVATE_KEY`,
        "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com",
        "client_id": `CLIENT_ID`,
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com",
        "universe_domain": "googleapis.com"
        }'
      log_type: 'WINDOWS_DHCP'
      override_log_type: false
      raw_log_field: body
      customer_id: 'dddddddd-dddd-dddd-dddd-dddddddddddd'
    
    service:
      pipelines:
        logs/dhcp:
          receivers:
            - dhcplog/dhcp_server_operational
            - dhcplog/dhcp_server_notification
        processors: [batch]
        exporters: [chronicle/dhcp]
    
  4. PRIVATE_KEY_ID, PRIVATE_KEY, SERVICSERVICE_ACCOUNT_NAME, PROJECT_ID, CLIENT_ID, CUSTOMER_ID를 Google Cloud Platform에서 다운로드할 수 있는 서비스 계정 JSON 파일의 각 값으로 바꿉니다. 서비스 계정 키에 대한 자세한 내용은 서비스 계정 키 만들기 및 삭제 문서를 참조하세요.

  5. observerIQ 에이전트 서비스를 시작하려면 서비스 > 확장 > observerIQ 서비스 > 시작을 선택합니다.

Microsoft Windows DHCP 서버 구성

  1. Microsoft Windows DHCP 서버를 설치하고 구성합니다. 자세한 내용은 Microsoft Windows 문서를 참조하세요.
  2. UTC 시간대로 시스템을 구성합니다.
  3. 각 Microsoft Windows DHCP 서버에 NXLog를 설치합니다. Microsoft Windows DHCP용 NXLog 구성에 대한 정보를 포함한 NXLog 문서를 따릅니다.
  4. 각 NXLog 인스턴스에 대한 구성 파일을 만듭니다. im_fileim_mscreationlog 모듈을 사용합니다.

    다음은 NXLog 구성의 예입니다. 32비트 NXLog 에이전트를 사용하여 64비트 Microsoft Windows에서 로그를 수집하는 방법에 대한 이 안내를 따릅니다.

    • <hostname><port> 값을 대상 중앙 Microsoft Windows 서버에 대한 정보로 바꿉니다. 자세한 내용은 om_tcp 모듈에 대한 NXLog 문서를 참조하세요.

    • <Input audit_logs_csv> 섹션 파일 속성의 로그 파일 경로를 DHCP 감사 로그가 포함된 파일의 위치로 변경합니다. im_file 입력 모듈에 대한 NXLog 문서를 참조하세요.

    define ROOT C:\Program Files\nxlog
    define WINDHCP_OUTPUT_DESTINATION_ADDRESS HOSTNAME
    define WINDHCP_OUTPUT_DESTINATION_PORT PORT
    
    Moduledir   %ROOT%\modules
    CacheDir    %ROOT%\data
    Pidfile     %ROOT%\data\nxlog.pid
    SpoolDir    %ROOT%\data
    LogFile     %ROOT%\data\nxlog.log
    
    <Extension _json>
        Module  xm_json
    </Extension>
    
    <Input dhcp_server_eventlog>
       Module      im_msvistalog
       <QueryXML>
            <QueryList>
                <Query Id="0" Path="System">
                    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-DHCP-Server']]]</Select>
                </Query>
                <Query Id="0">
                    <Select Path="DhcpAdminEvents">*</Select>
                    <Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">*</Select>
                    <Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select>
                </Query>
           </QueryList>
        </QueryXML>
        Exec        $EventTime = integer($EventTime) / 1000;
        Exec        $EventReceivedTime = integer($EventReceivedTime) /     1000;
        Exec        to_json();
    </Input>
    
    <Input audit_logs_csv>
        Module      im_file
        File        "LOG_FILE_PATH"  # Use quotation marks. For example: "c:\dhcp\-*.log"
        SavePos     TRUE
        InputType   LineBased
        Exec        $Message = $raw_event;
    </Input>
    
    <Output out_chronicle_forwarder>
        Module      om_tcp
        Host        %WINDHCP_OUTPUT_DESTINATION_ADDRESS%
        Port        %WINDHCP_OUTPUT_DESTINATION_PORT%
    </Output>
    
    <Route dhcp_events_to_chronicle_forwarder>
        Path     dhcp_server_eventlog,audit_logs_csv => out_chronicle_forwarder
    </Route>
    
  5. NXLog 서비스를 시작합니다.

중앙 Microsoft Windows 또는 Linux 서버 구성

전달자 설치 및 구성에 대한 자세한 내용은 Linux에서 전달자 설치 및 구성 또는 Microsoft Windows에서 전달자 설치 및 구성을 참조하세요.

  1. UTC 시간대로 시스템을 구성합니다.
  2. 중앙 Microsoft Windows 또는 Linux 서버에 Google Security Operations 전달자를 설치합니다.
  3. Google Security Operations 전달자를 구성하여 로그를 Google Security Operations에 전송합니다. 다음은 전달자 구성의 예입니다.

      - syslog:
          common:
            enabled: true
            data_type: WINDOWS_DHCP
            batch_n_seconds: 10
            batch_n_bytes: 1048576
          tcp_address: 0.0.0.0:10518
          connection_timeout_sec: 60
    

필드 매핑 참조: 기기 로그 필드에서 UDM 필드로

이 섹션에서는 파서가 통합 로그 모델을 통합 데이터 모델(UDM) 필드에 매핑하는 방법을 설명합니다.

감사 로그

원본 로그 필드 UDM 필드
ID security_result.rule_name is set to "EventID: %{EventID}"

The dhcp.type is set according to the EventID:
For EventIDs 10, 11, 20, 21, value is set to ACK.
For EventID 12, value is set to RELEASE.
For EventIDs 13, 14, 15, 22 the value is set to NAK.
For EventIDs 16, 23 value is set to WIN_DELETED.
For EventIDs 17, 18 value is set to WIN_EXPIRED.
Date metadata.event_timestamp
Time metadata.event_timestamp
Description metadata.description
IP Address principal.ip

If the syslog header contains an IP address, it is mapped to "principal.ip", else if the syslog header contains a hostname, it is mapped to "principal.hostname".

Host Name network.dhcp.client_hostname
MAC Address If the event_type is NETWORK_DHCP, then network.dhcp.chaddr is set. Otherwise, target.mac is set.
User Name principal.user.userid
TransactionID network.dhcp.transaction_id
QResult Value is mapped to the security_result.action
If value is 0:NoQuarantine, set to ALLOW
If value is 1:Quarantine, set to QUARANTINE
If value is 2:Drop Packet, set to BLOCK
If value is 3:Probation, set to ALLOW
If value is 6:No Quarantine Information, set to UNKNOWN_ACTION
Dhcid network.dhcp.client_identifier

운영, 관리, 필터 알림 이벤트 전반의 공통 필드

원본 로그 필드 UDM 필드
EventTime metadata.event_timestamp
Channel If the Category field not empty, then metadata.product_event_type set to "%{Category} [%{EventID}]"

If the Category field is empty, then metadata.product_event_type set to "%{Channel} [%{EventID}]"
SourceName metadata.vendor = "Microsoft"
metadata.product_name = "Windows DHCP Server"
Hostname principal.hostname
EventID security_result.rule_name
Severity

security_result.severity

Original values mapped to UDM field values as follows:

  • 0 (None) - UNKNOWN_SEVERITY
  • 1 (Critical) - INFORMATIONAL
  • 2 (Error) - ERROR
  • 3 (Warning) - ERROR
  • 4 (Informational) - INFORMATIONAL
  • 5 (Verbose) - INFORMATIONAL
UserID principal.user.windows_sid
ExecutionProcessID principal.process.pid
ProcessID principal.process.pid

운영 이벤트

원본 로그 필드 UDM 필드
PhysicalAddress principal.mac
ClientName principal.user.userid
HWType dhcp.htype
OptionName dhcp.option.code
Message metadata.description
Category metadata.product_event_type
ReservationName target.resource.name
The value stored is different depending on the EventID of the original event.
RelationshipName target.resource.name
The value stored is different depending on the EventID of the original event.
IP_ScopeName target.resource.name
The value stored is different depending on the EventID of the original event.
PolicyName target.resource.name
The value stored is different depending on the EventID of the original event.
IP_Name target.resource.name
The value stored is different depending on the EventID of the original event.
Server2Name target.hostname
Server Depending on the value, stored in target.ip or target.hostname.

알림 이벤트 필터링

원본 로그 필드 UDM 필드
MACAddress principal.mac
Message metadata.description

관리자 이벤트

원본 로그 필드 UDM 필드
operation security_result.description
FQDNName target.hostname
Message metadata.description
Category metadata.product_event_type
Server target.ip / target.hostname
RelationName target.resource.name. The value stored is different depending on the EventID of the original event.
PartnerServer target.hostname
IP_Name target.resource.name The value stored is different depending on the EventID of the original event.
IpAddress target.ip

필드 매핑 참조: 이벤트 ID에서 UDM 이벤트 유형으로

이 섹션에서는 파서가 이벤트 ID를 UDM event_types에 매핑하는 방법을 설명합니다.

이벤트 ID 이벤트 텍스트 UDM 이벤트 유형 설명
0 The log was started. GENERIC_EVENT
1 The log was stopped. GENERIC_EVENT
2 The log was temporarily paused due to low disk space. GENERIC_EVENT
10 A new IP address was leased to a client. NETWORK_DHCP
11 A lease was renewed by a client. NETWORK_DHCP
12 A lease was released by a client. NETWORK_DHCP
13 An IP address was found to be in use on the network. NETWORK_DHCP
14 A lease request could not be satisfied because the scope's address pool was exhausted. NETWORK_DHCP
15 A lease was denied. NETWORK_DHCP
16 A lease was deleted. NETWORK_DHCP
17 A lease was expired and DNS records for an expired leases have not been deleted. NETWORK_DHCP
18 A lease was expired and DNS records were deleted. NETWORK_DHCP
20 A BOOTP address was leased to a client. NETWORK_DHCP
21 A dynamic BOOTP address was leased to a client. NETWORK_DHCP
22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. NETWORK_DHCP
23 A BOOTP IP address was deleted after checking to see it was not in use. NETWORK_DHCP
24 IP address cleanup operation has began. SYSTEM_AUDIT_LOG_UNCATEGORIZED
25 IP address cleanup statistics. SYSTEM_AUDIT_LOG_UNCATEGORIZED
30 DNS update request to the named DNS server. GENERIC_EVENT
31 DNS update failed. GENERIC_EVENT The UDM field is_alert is set to true.
32 DNS update successful. GENERIC_EVENT
33 Packet dropped due to NAP policy. GENERIC_EVENT The UDM field is_alert is set to true.
34 DNS update request failed.as the DNS update request queue limit exceeded. SYSTEM_AUDIT_LOG_UNCATEGORIZED
35 DNS update request failed. GENERIC_EVENT The UDM field is_alert is set to true.
36 Packet dropped because the server is in failover standby role or the hash of the client ID does not match. GENERIC_EVENT
50 Unreachable domain SYSTEM_AUDIT_LOG_UNCATEGORIZED
51 Authorization succeeded SYSTEM_AUDIT_LOG_UNCATEGORIZED
53 Cached Authorization SYSTEM_AUDIT_LOG_UNCATEGORIZED
54 Authorization failed GENERIC_EVENT The UDM field is_alert is set to true.
55 Authorization (servicing) SYSTEM_AUDIT_LOG_UNCATEGORIZED
56 Authorization failure, stopped servicing GENERIC_EVENT The UDM field is_alert is set to true.
57 Server found in domain SYSTEM_AUDIT_LOG_UNCATEGORIZED
58 Server could not find domain SYSTEM_AUDIT_LOG_UNCATEGORIZED
59 Network failure GENERIC_EVENT The UDM field is_alert is set to true.
60 No DC is DS Enabled SYSTEM_AUDIT_LOG_UNCATEGORIZED
61 Server found that belongs to DS domain SYSTEM_AUDIT_LOG_UNCATEGORIZED
62 Another server found SYSTEM_AUDIT_LOG_UNCATEGORIZED
63 Restarting rogue detection SYSTEM_AUDIT_LOG_UNCATEGORIZED
64 No DHCP enabled interfaces SYSTEM_AUDIT_LOG_UNCATEGORIZED
70 Scope: %1 for IPv4 is Configured by %2. SETTING_CREATION
71 Scope: %1 for IPv4 is Modified by %2 SETTING_MODIFICATION
72 Scope: %1 for IPv4 is Deleted by %2 SETTING_DELETION
73 Scope: %1 for IPv4 is Activated by %2 SETTING_MODIFICATION
74 Scope: %1 for IPv4 is DeActivated by %2 SETTING_MODIFICATION
75 Scope: %1 for IPv4 is Updated with Lease Duration: %2 seconds by %3. The previous configured Lease Duration was: %4 seconds SETTING_MODIFICATION
76 Scope: %1 for IPv4 is Updated with Option Settings: %2 by %3 SETTING_MODIFICATION
77 Scope: %1 for IPv4 is Enabled for DNS Dynamic updates by %2 SETTING_MODIFICATION
78 Scope: %1 for IPv4 is Disabled for DNS Dynamic updates by %2 SETTING_MODIFICATION
79 Scope: %1 for IPv4 is Updated with DNS Settings by %2: to dynamically update DNS A and PTR records on request by the DHCP Clients SETTING_MODIFICATION
80 Scope: %1 for IPv4 is Updated with DNS Settings by %2: to always dynamically update DNS A and PTR records SETTING_MODIFICATION
81 Scope: %1 for IPv4 is Enabled for DNS Settings by %2: to discard DNS A and PTR records when lease is deleted SETTING_MODIFICATION
82 Scope: %1 for IPv4 is Disabled for DNS Settings by %2: to discard DNS A and PTR records when lease is deleted SETTING_MODIFICATION
83 Scope: %1 for IPv4 is Enabled for DNS Settings by %2: to dynamically update DNS A and PTR records for DHCP Clients that do not request updates SETTING_MODIFICATION
84 Scope: %1 for IPv4 is Disabled for DNS Settings by %2: to dynamically update DNS A and PTR records for DHCP Clients that do not request updates SETTING_MODIFICATION
85 Policy based assignment has been disabled for scope %1 SETTING_MODIFICATION
86 Policy based assignment has been enabled for scope %1 SETTING_MODIFICATION
87 Name Protection setting is Enabled on Scope: %1 for IPv4 by %2 SETTING_MODIFICATION
88 Name Protection setting is Disabled on Scope: %1 for IPv4 by %2 SETTING_MODIFICATION
89 Scope: %1 for IPv4 is Updated with support type: %2 by %3 SETTING_MODIFICATION
90 NAP Enforcement is Enabled on Scope: %1 for IPv4 by %2 SETTING_MODIFICATION
91 NAP Enforcement is Disabled on Scope: %1 for IPv4 by %2 SETTING_MODIFICATION
92 NAP Profile is configured on Scope: %1 for IPv4 with the following NAP Profile: %2 by %3 SETTING_CREATION
93 NAP Profile is Updated on Scope: %1 for IPv4 with the following NAP Profile: %2 by %3. The previous configured NAP Profile was: %4 SETTING_MODIFICATION
94 The following NAP Profile: %1 is deleted on Scope: %2 by %4 SETTING_DELETION
95 Scope: %1 for Multicast IPv4 is Configured by %2 SETTING_CREATION
96 Scope: %1 for Multicast IPv4 is Deleted by %2 SETTING_DELETION
97 Scope: %1 for IPv4 is Added in Superscope: %2 by %3 SETTING_CREATION
98 SuperScope: %1 for IPv4 is Configured by %2 SETTING_CREATION
99 SuperScope: %1 for IPv4 is Deleted by %2 SETTING_DELETION
100 Scope: %1 within SuperScope: %2 for IPv4 is Activated by %3 SETTING_MODIFICATION
101 Scope: %1 within SuperScope: %2 for IPv4 is DeActivated by %3 SETTING_MODIFICATION
102 Scope: %1 for IPv4 is Removed in Superscope: %2 by %3. However, the Scope exists outside the Superscope SETTING_DELETION
103 Scope: %1 for IPv4 is Deleted in Superscope: %2 as well as Deleted permanently by %3 SETTING_DELETION
104 Delay Time: %1 milliseconds for the OFFER message sent by Secondary Servers is Updated on Scope: %2 for IPv4 by %4. The previous configured Delay Time was: %3 milliseconds SETTING_MODIFICATION
105 Server level option %1 for IPv4 has been updated by %2 SETTING_MODIFICATION
106 Reservation: %1 for IPv4 is Configured under Scope %2 by %3 SETTING_CREATION
107 Reservation: %1 for IPv4 is Deleted under Scope %2 by %3 SETTING_DELETION
108 Reservation: %1 for IPv4 under Scope: %2 is Enabled for DNS Dynamic updates by %3 SETTING_MODIFICATION
109 Reservation: %1 for IPv4 under Scope: %2 is Disabled for DNS Dynamic updates by %3 SETTING_MODIFICATION
110 Reservation: %1 for IPv4 under Scope: %2 is Updated with DNS Settings by %3: to dynamically update DNS A and PTR records on request by the DHCP Clients SETTING_MODIFICATION
111 Reservation: %1 for IPv4 under Scope: %2 is Updated with DNS Settings by %3: to always dynamically update DNS A and PTR records SETTING_MODIFICATION
112 Reservation: %1 for IPv4 under Scope: %2 is Enabled for DNS Settings by %3: to discard DNS A and PTR records when lease is deleted SETTING_MODIFICATION
113 Reservation: %1 for IPv4 under Scope: %2 is Disabled for DNS Settings by %3: to discard DNS A and PTR records when lease is deleted SETTING_MODIFICATION
114 Reservation: %1 for IPv4 under Scope: %2 is Enabled for DNS Settings by %3: to dynamically update DNS A and PTR records for DHCP Clients that do not request updates SETTING_MODIFICATION
115 Reservation: %1 for IPv4 under Scope: %2 is Disabled for DNS Settings by %3: to dynamically update DNS A and PTR records for DHCP Clients that do not request updates SETTING_MODIFICATION
116 Reservation: %1 for IPv4 under Scope: %2 is Updated with Option Setting: %3 by %4 SETTING_MODIFICATION
117 Policy based assignment has been disabled at server level SETTING_MODIFICATION
118 Policy based assignment has been enabled at server level SETTING_MODIFICATION
119 Added exclusion IP Address range %1 in the Address Pool for IPv4 under Scope: %2 by %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED
120 Deleted exclusion IP Address range %1 in the Address Pool for IPv4 under Scope: %2 by %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED
121 Link Layer based filtering is Enabled in the Allow List of the IPv4 by %1 SETTING_MODIFICATION
122 Link Layer based filtering is Disabled in the Allow List of the IPv4 by %1 SETTING_MODIFICATION
123 Filter for physical address: %1, hardware type: %3 added to the IPv4 Allow List by %2 SETTING_CREATION
124 Filter for physical address: %1, hardware type: %3 removed from the IPv4 Allow List by %2 SETTING_DELETION
125 Link Layer based filtering is Enabled in the Deny List of the IPv4 by %1 SETTING_MODIFICATION
126 Link Layer based filtering is Disabled in the Deny List of the IPv4 by %1 SETTING_MODIFICATION
127 Filter for physical address: %1, hardware type: %3 added to the IPv4 Deny List by %2 SETTING_CREATION
128 Filter for physical address: %1, hardware type: %3 removed from the IPv4 Deny List by %2 SETTING_DELETION
129 Scope: %1 for IPv6 is Configured by %2 SETTING_CREATION
130 Scope: %1 for IPv6 is Deleted by %2 SETTING_DELETION
131 Scope: %1 for IPv6 is Activated by %2 SETTING_MODIFICATION
132 Scope: %1 for IPv6 is DeActivated by %2 SETTING_MODIFICATION
133 Scope: %1 for IPv6 is Updated with Lease Preferred Lifetime: %2 by %3. The previous configured Lease Preferred Lifetime was: %4 SETTING_MODIFICATION
134 Scope: %1 for IPv6 is Updated with Lease Valid Lifetime: %2 by %3. The previous configured Lease Valid Lifetime was: %4 SETTING_MODIFICATION
135 Scope: %1 for IPv6 is Updated with Option Setting: %2 by %3 SETTING_MODIFICATION
136 Scope: %1 for IPv6 is Enabled for DNS Dynamic updates by %2 SETTING_MODIFICATION
137 Scope: %1 for IPv6 is Disabled for DNS Dynamic updates by %2 SETTING_MODIFICATION
138 Scope: %1 for IPv6 is Updated with DNS Settings by %2: to dynamically update DNS AAAA and PTR records on request by the DHCP Clients SETTING_MODIFICATION
139 Scope: %1 for IPv6 is Updated with DNS Settings by %2: to always dynamically update DNS AAAA and PTR records SETTING_MODIFICATION
140 Scope: %1 for IPv6 is Enabled for DNS Settings by %2: to discard DNS AAAA and PTR records when lease is deleted SETTING_MODIFICATION
141 Scope: %1 for IPv6 is Disabled for DNS Settings by %2: to discard DNS AAAA and PTR records when lease is deleted. SETTING_MODIFICATION
142 Name Protection setting is Enabled on Scope: %1 for IPv6 by %2 SETTING_MODIFICATION
143 Name Protection setting is Disabled on Scope: %1 for IPv6 by %2 SETTING_MODIFICATION
145 Reservation: %1 for IPv6 is Configured under Scope %2 by %3 SETTING_CREATION
147 Reservation: %1 for IPv6 is Deleted under Scope %2 by %3 SETTING_DELETION
148 Reservation: %1 for IPv6 under Scope: %2 is Enabled for DNS Dynamic updates by %3 SETTING_MODIFICATION
149 Reservation: %1 for IPv6 under Scope: %2 is Disabled for DNS Dynamic updates by %3 SETTING_MODIFICATION
150 Reservation: %1 for IPv6 under Scope: %2 is Updated with DNS Settings by %3: to dynamically update DNS AAAA and PTR records on request by the DHCP Clients SETTING_MODIFICATION
151 Reservation: %1 for IPv6 under Scope: %2 is Updated with DNS Settings by %3: to always dynamically update DNS AAAA and PTR records SETTING_MODIFICATION
152 Reservation: %1 for IPv6 under Scope: %2 is Enabled for DNS Settings by %3: to discard DNS AAAA and PTR records when lease is deleted SETTING_MODIFICATION
153 Reservation: %1 for IPv6 under Scope: %2 is Disabled for DNS Settings by %3: to discard DNS AAAA and PTR records when lease is deleted SETTING_MODIFICATION
154 Reservation: %1 for IPv6 under Scope: %2 is Updated with Option Setting: %3 by %4 SETTING_MODIFICATION
155 Added exclusion IP Address range %1 in the Address Pool for IPv6 under Scope: %2 by %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED
156 Deleted exclusion IP Address range %1 in the Address Pool for IPv6 under Scope: %2 by %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED
157 Scope: %1 for IPv6 is Modified by %2 SETTING_MODIFICATION
158 DHCPv6 Stateless client inventory has been enabled for the scope %1 SETTING_MODIFICATION
159 DHCPv6 Stateless client inventory has been disabled for the scope %1 SETTING_MODIFICATION
160 DHCPv6 Stateless client inventory has been enabled for the server SETTING_MODIFICATION
161 DHCPv6 Stateless client inventory has been disabled for the server SETTING_MODIFICATION
162 Purge time interval for DHCPv6 stateless client inventory for scope %1 has been set to %2 hours SETTING_MODIFICATION
163 Purge time interval for DHCPv6 stateless client inventory for server has been set to %1 hours SETTING_MODIFICATION
164 Scope: %1 for IPv4 is Enabled for DNS Settings by %2: to disable dynamic updates for DNS PTR records SETTING_MODIFICATION
165 Scope: %1 for IPv4 is Disabled for DNS Settings by %2: to disable dynamic updates for DNS PTR records SETTING_MODIFICATION
166 Server level option %1 for IPv6 has been updated by %2 SETTING_MODIFICATION
167 Server level option %1 for IPv4 has been removed by %2 SETTING_DELETION
168 Option setting: %2 has been removed from IPv4 scope: %1 by %3 SETTING_DELETION
169 Option setting: %3 has been removed from the reservation: %1 in IPv4 scope: %2 by %4 SETTING_DELETION
170 Server level option %1 for IPv6 has been removed by %2 SETTING_DELETION
171 Option setting: %2 has been removed from IPv6 scope: %1 by %3 SETTING_DELETION
172 Option setting: %3 has been removed from the reservation: %1 in IPv6 scope: %2 by %4 SETTING_DELETION
1000 The DHCP service received the unknown option %1, with a length of %2. The raw option data is given below SYSTEM_AUDIT_LOG_UNCATEGORIZED
1001 The DHCP service failed to register with Service Controller. The following error occurred: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1002 The DHCP service failed to initialize its global parameters. The following error occurred: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1003 The DHCP service failed to initialize its registry parameters. The following error occurred: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1004 The DHCP service failed to initialize the database. The following error occurred: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1005 The DHCP service failed to initialize Winsock startup. The following error occurred: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1006 The DHCP service failed to start as a RPC server. The following error occurred : %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1007 The DHCP service failed to initialize Winsock data. The following error occurred: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1008 The DHCP service is shutting down due to the following error: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1009 The DHCP service encountered the following error while cleaning up the pending client records: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1010 The DHCP service encountered the following error while cleaning up the database: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1011 The DHCP service issued a NACK (negative acknowledgement message) to the client, %2, for the address, %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED
1012 The DHCP client, %2, declined the address %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED
1013 The DHCP Client, %2, released the address %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED
1016 The DHCP service encountered the following error when backing up the database: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1017 The DHCP service encountered the following error when backing up the registry configuration: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1018 The DHCP service failed to restore the database. The following error occurred: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1019 The DHCP service failed to restore the DHCP registry configuration. The following error occurred: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1020 Scope, %1, is %2 percent full with only %3 IP addresses remaining SYSTEM_AUDIT_LOG_UNCATEGORIZED
1021 The DHCP service could not load the JET database library successfully SYSTEM_AUDIT_LOG_UNCATEGORIZED
1022 The DHCP service could not use the database. If this service was started for the first time after the upgrade from NT 3.51 or earlier, you need to run the utility, upg351db.exe, on the DHCP database to convert it to the new JET database format. Restart the DHCP service after you have upgraded the database SYSTEM_AUDIT_LOG_UNCATEGORIZED
1023 The DHCP service will now terminate because the existing database needs conversion to Windows 2000 format. The conversion via the jetconv process, has initiated. Do not reboot or stop the jetconv process. The conversion may take up to 10 minutes depending on the size of the database. Terminate DHCP now by clicking OK. This is required for the database conversion to succeed. NOTE: The DHCP service will be restarted automatically when the conversion is completed. To check conversion status, look at the Application event log for the jetconv process SYSTEM_AUDIT_LOG_UNCATEGORIZED
1024 The DHCP service has initialized and is ready SERVICE_START
1025 The DHCP service was unable to read the BOOTP file table from the registry. The DHCP service will be unable to respond to BOOTP requests that specify the boot file name SYSTEM_AUDIT_LOG_UNCATEGORIZED
1026 The DHCP service was unable to read the global BOOTP file name from the registry SYSTEM_AUDIT_LOG_UNCATEGORIZED
1027 The audit log file cannot be appended SYSTEM_AUDIT_LOG_UNCATEGORIZED
1028 The DHCP service failed to initialize the audit log. The following error occurred: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1029 The DHCP service was unable to ping for a new IP address. The address was leased to the client SYSTEM_AUDIT_LOG_UNCATEGORIZED
1030 The audit log file could not be backed up. The following error occurred: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1031 The installed server callout .dll file has caused an exception. The exception was: %1. The server has ignored this exception. All further exceptions will be ignored SYSTEM_AUDIT_LOG_UNCATEGORIZED
1032 The installed server callout .dll file has caused an exception. The exception was: %1. The server has ignored this exception and the .dll file could not be loaded SYSTEM_AUDIT_LOG_UNCATEGORIZED
1033 The DHCP service has successfully loaded one or more callout DLLs SYSTEM_AUDIT_LOG_UNCATEGORIZED
1034 The DHCP service has failed to load one or more callout DLLs. The following error occurred: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1035 The DHCP service was unable to create or lookup the DHCP Users local group on this computer. The error code is in the data SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1036 The DHCP server was unable to create or lookup the DHCP Administrators local group on this computer. The error code is in the data SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1037 The DHCP service has started to clean up the database SYSTEM_AUDIT_LOG_UNCATEGORIZED
1038 The DHCP service has cleaned up the database for unicast IP addresses -- %1 leases have been recovered and %2 records have been removed from the database SYSTEM_AUDIT_LOG_UNCATEGORIZED
1039 The DHCP service has cleaned up the database for multicast IP addresses -- %1 leases have expired (been marked for deletion) and %2 records have been removed from the database SYSTEM_AUDIT_LOG_UNCATEGORIZED
1040 The DHCP service successfully restored the database SYSTEM_AUDIT_LOG_UNCATEGORIZED
1041 The DHCP service is not servicing any DHCPv4 clients because none of the active network interfaces have statically configured IPv4 addresses, or there are no active interfaces SYSTEM_AUDIT_LOG_UNCATEGORIZED
1042 The DHCP/BINL service running on this machine has detected a server on the network. If the server does not belong to any domain, the domain is listed as empty. The IP address of the server is listed in parentheses. %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED
1043 The DHCP/BINL service on the local machine has determined that it is authorized to start. It is servicing clients now SYSTEM_AUDIT_LOG_UNCATEGORIZED
1044 The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain %2, has determined that it is authorized to start. It is servicing clients now SYSTEM_AUDIT_LOG_UNCATEGORIZED
1045 The DHCP/BINL service on the local machine has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine belongs to a workgroup and has encountered another DHCP Server (belonging to a Windows Administrative Domain) servicing the same network. An unexpected network error occurred SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1046 The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain %2, has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this: This machine is part of a directory service enterprise and is not authorized in the same domain. (See help on the DHCP Service Management Tool for additional information). This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized. Some unexpected network error occurred. SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1047 The DHCP/BINL service on the local machine has determined that it is authorized to start. It is servicing clients now. The DHCP/BINL service has determined that the machine was recently upgraded. If the machine is intended to belong to a directory service enterprise, the DHCP service must be authorized in the directory service for it to start servicing clients. (See help on DHCP Service Management Tool for authorizing the server) SYSTEM_AUDIT_LOG_UNCATEGORIZED
1048 The DHCP/BINL Service on the local machine, belonging to Windows Domain %2, has determined that it is authorized to start. It is servicing clients now. It has determined that the computer was recently upgraded. It has also determined that either there is no directory service enterprise for the domain or that the computer is not authorized in the directory service. All DHCP services that belong to a directory service enterprise should be authorized in the directory service to service clients. (See help on the DHCP Service Management Tool for authorizing a DHCP service in the directory service) SYSTEM_AUDIT_LOG_UNCATEGORIZED
1049 The DHCP/BINL service on the local machine encountered an error while trying to find the domain of the local machine. The error was: %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1050 The DHCP/BINL service on the local machine encountered a network error. The error was: %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1051 The DHCP/BINL service has determined that it is not authorized to service clients on this network for the Windows domain: %2. All DHCP services that belong to a directory service enterprise must be authorized in the directory service to service clients. (See help on the DHCP Service Management Tool for authorizing a DHCP server in the directory service) SYSTEM_AUDIT_LOG_UNCATEGORIZED
1052 The DHCP/BINL service on this workgroup server has encountered another server with IP Address, %1, belonging to the domain %2 SYSTEM_AUDIT_LOG_UNCATEGORIZED
1053 The DHCP/BINL service has encountered another server on this network with IP Address, %1, belonging to the domain: %2 SYSTEM_AUDIT_LOG_UNCATEGORIZED
1054 The DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons SYSTEM_AUDIT_LOG_UNCATEGORIZED
1055 The DHCP service was unable to impersonate the credentials necessary for DNS registrations: %1. The local system credentials is being used SYSTEM_AUDIT_LOG_UNCATEGORIZED
1056 The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool SYSTEM_AUDIT_LOG_UNCATEGORIZED
1057 The DHCP service was unable to convert the temporary database to ESE format: %1. SYSTEM_AUDIT_LOG_UNCATEGORIZED
1058 The DHCP service failed to initialize its configuration parameters. The following error occurred: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1059 The DHCP service failed to see a directory server for authorization SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
1060 The DHCP service was unable to access path specified for the audit log SYSTEM_AUDIT_LOG_UNCATEGORIZED
1061 The DHCP service was unable to access path specified for the database backups SYSTEM_AUDIT_LOG_UNCATEGORIZED
1062 The DHCP service was unable to access path specified for the database SYSTEM_AUDIT_LOG_UNCATEGORIZED
1063 There are no IP addresses available for lease in the scope or superscope "%1" SYSTEM_AUDIT_LOG_UNCATEGORIZED
1064 There are no IP addresses available for BOOTP clients in the scope or superscope "%1" SYSTEM_AUDIT_LOG_UNCATEGORIZED
1065 There were some orphaned entries deleted in the configuration due to the deletion of a class or an option definition. Please recheck the server configuration SYSTEM_AUDIT_LOG_UNCATEGORIZED
1144 This computer has at least one dynamically assigned IP address. For reliable DHCP Server operation, you should use only static IP addresses SYSTEM_AUDIT_LOG_UNCATEGORIZED
1338 The number of pending DHCPOFFER messages for delayed transmission to the client has exceeded the server's capacity of 1000 pending messages. The DHCP server will drop all subsequent DHCPDISCOVER messages for which the DHCPOFFER message response needs to be delayed as per the server configuration. The DHCP server will continue to process DHCPDISCOVER messages for which the DHCPOFFER message responses do not need to be delayed. The DHCP server will resume processing all DHCPDISCOVER messages once the number of pending DHCPOFFER messages for delayed transmission to the client is below the server's capacity SYSTEM_AUDIT_LOG_UNCATEGORIZED
1339 The number pending DHCPOFFER messages for delayed transmission to the client is now below the server's capacity of 1000. The DHCP server will now resume processing all DHCPDISCOVER messages SYSTEM_AUDIT_LOG_UNCATEGORIZED
1340 The DNS registration for DHCPv4 Client IP address %1 , FQDN %2 and DHCID %3 has been denied as there is probably an existing client with same FQDN already registered with DNS SYSTEM_AUDIT_LOG_UNCATEGORIZED
1341 There are no IP addresses available for lease in IP address range(s) of the policy %1 in scope %2 SYSTEM_AUDIT_LOG_UNCATEGORIZED
1342 IP address range of scope %1 is out of IP addresses SYSTEM_AUDIT_LOG_UNCATEGORIZED
1343 Ip address range(s) for the scope %1 policy %2 is %3 percent full with only %4 IP addresses available SYSTEM_AUDIT_LOG_UNCATEGORIZED
1344 The DNS IP Address %1 is not a valid DNS Server Address SYSTEM_AUDIT_LOG_UNCATEGORIZED
1376 IP address range of scope %1 is %2 percent full with only %3 IP addresses available SYSTEM_AUDIT_LOG_UNCATEGORIZED
1377 SuperScope, %1, is %2 percent full with only %3 IP addresses remaining. This superscope has the following scopes %4 SYSTEM_AUDIT_LOG_UNCATEGORIZED
10000 DHCPv6 confirmation has been declined because the address was not appropriate to the link or DHCPv6 renew request has a Zero lifetime for Client Address %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED
10001 Renew, rebind or confirm received for IPv6 addresses %1 for which there are no active lease available SYSTEM_AUDIT_LOG_UNCATEGORIZED
10002 DHCPv6 service received the unknown option %1, with a length of %2. The raw option data is given below SYSTEM_AUDIT_LOG_UNCATEGORIZED
10003 There are no IPv6 addresses available to lease in the scope serving the network with Prefix %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED
10004 The DHCPv6 client, %2, declined the address %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED
10005 DHCPv6 Scope serving the network with prefix %1, is %2 percent full with only %3 IP addresses remaining SYSTEM_AUDIT_LOG_UNCATEGORIZED
10006 A DHCPV6 client %1 has been deleted from DHCPV6 database. SYSTEM_AUDIT_LOG_UNCATEGORIZED
10007 A DHCPV6 message that was in the queue for more than 30 seconds has been dropped because it is too old to process SYSTEM_AUDIT_LOG_UNCATEGORIZED
10008 An invalid DHCPV6 message has been dropped SYSTEM_AUDIT_LOG_UNCATEGORIZED
10009 A DHCPV6 message that was not meant for this server has been dropped SYSTEM_AUDIT_LOG_UNCATEGORIZED
10010 DHCV6 message has been dropped because it was received on a Uni-cast address and unicast support is disabled on the server SYSTEM_AUDIT_LOG_UNCATEGORIZED
10011 DHCPV6 audit log file cannot be appended, Error Code returned %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
10012 A DHCPV6 message has been dropped because the server is not authorized to process the message SYSTEM_AUDIT_LOG_UNCATEGORIZED
10013 The DHCPv6 service failed to initialize the audit log. The following error occurred: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
10014 DHCPv6 audit log file could not be backed up. Error code %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
10015 AThe DHCPv6 service was unable to access path specified for the audit log SYSTEM_AUDIT_LOG_UNCATEGORIZED
10016 The DHCPv6 service failed to initialize Winsock startup. The following error occurred %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
10017 The DHCPv6 service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCPv6 service. This is not a recommended security configuration SYSTEM_AUDIT_LOG_UNCATEGORIZED
10018 The DHCPv6 Server failed to receive a notification of interface list changes. Some of the interfaces will not be enabled in the DHCPv6 service SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
10019 The DHCPv6 service failed to initialize its configuration parameters. The following error occurred: %1. SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
10020 This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses SYSTEM_AUDIT_LOG_UNCATEGORIZED
10021 DHCPv6 service failed to initialize the database. The following error occurred: %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
10022 The DHCPv6 service has initialized and is ready to serve SYSTEM_AUDIT_LOG_UNCATEGORIZED
10023 DHCPv6 Server is unable to bind to UDP port number %1 as it is used by another application. This port must be made available to DHCPv6 Server to start servicing the clients SYSTEM_AUDIT_LOG_UNCATEGORIZED
10024 ERROR_LAST_DHCPV6_SERVER_ERROR GENERIC_EVENT The UDM field is_alert is set to true.
10025 The DNS registration for DHCPv6 Client IPv6 address %1 , FQDN %2 and DHCID %3 has been denied as there is probably an existing client with same FQDN already registered with DNS. SYSTEM_AUDIT_LOG_UNCATEGORIZED
20090 DHCP Server is unable to bind to UDP port number %1 as it is used by another application. This port must be made available to DHCP Server to start servicing the clients SYSTEM_AUDIT_LOG_UNCATEGORIZED
20096 DHCP Services were denied to machine with hardware address %1, hardware type %4 and FQDN/Hostname %2 because it matched entry %3 in the Deny List SYSTEM_AUDIT_LOG_UNCATEGORIZED
20097 DHCP Services were denied to machine with hardware address %1, hardware type %3 and FQDN/Hostname %2 because it did not match any entry in the Allow List SYSTEM_AUDIT_LOG_UNCATEGORIZED
20098 No DHCP clients are being served, as the Allow list is empty and the server was configured to provide DHCP services, to clients whose hardware addresses are present in the Allow List GENERIC_EVENT
20099 DHCP Services were denied to machine with hardware address %1, hardware type %4 and unspecified FQDN/Hostname%2 because it matched entry %3 in the Deny List SYSTEM_AUDIT_LOG_UNCATEGORIZED
20100 DHCP Services were denied to machine with hardware address %1, hardware type %3 and unspecified FQDN/Hostname%2 because it did not match any entry in the Allow List SYSTEM_AUDIT_LOG_UNCATEGORIZED
20162 Scavenger started purging stateless entries SYSTEM_AUDIT_LOG_UNCATEGORIZED
20220 Policy %2 for server is %1 SETTING_CREATION
20221 Policy %2 for scope %3 is %1 SETTING_CREATION
20222 The conditions for server policy %3 have been set to %1. The conditions are grouped by logical operator %2 SETTING_MODIFICATION
20223 The conditions for scope %4 policy %3 have been set to %1. The conditions are grouped by logical operator %2 SETTING_MODIFICATION
20224 A new server wide IPv4 policy %1 was created. The processing order of the policy is %2 SETTING_CREATION
20225 A new scope policy %1 was created in scope %3. The processing order of the policy is %2 SETTING_CREATION
20226 Policy %1 was deleted from server SETTING_DELETION
20227 Policy %1 was deleted from scope %2 SETTING_DELETION
20228 The IP address range from %1 was set for the scope %3 policy %2 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20229 The IP address range from %1 was removed from the scope %3 policy %2 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20230 The value %2 was set for the option %1 for the server policy %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20231 The value %2 was set for the option %1 for the scope %4 policy %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20232 The value %2 was removed from the option %1 for the server policy %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20233 The value %2 was removed from the option %1 for the scope %4 policy %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20234 Server policy %2 has been renamed to %1 SETTING_MODIFICATION
20235 Scope %3 policy %2 has been renamed to %1 SETTING_MODIFICATION
20236 Description of server policy %2 was set to %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20237 Description of scope %3 policy %2 was set to %1 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20238 Processing order of server policy %3 was changed to %1 from %2 SETTING_MODIFICATION
20239 Processing order of scope %4 policy %3 was changed to %1 from %2 SETTING_MODIFICATION
20240 A failover relationship has been created between servers %1 and %2 with the following configuration parameters: name: %3, mode: load balance, maximum client lead time: %4 seconds, load balance percentage on this server: %5, auto state switchover interval: %6 seconds SETTING_CREATION
20241 A failover relationship has been created between servers %1 and %2 with the following configuration parameters: name: %3, mode: hot standby, maximum client lead time: %4 seconds, reserve address percentage on standby server: %5, auto state switchover interval: %6 seconds, standby server: %7 SETTING_CREATION
20242 Failover relationship %1 between %2 and %3 has been deleted SETTING_DELETION
20243 Scope %1 has been added to the failover relationship %2 with server %3 SETTING_MODIFICATION
20244 Scope %1 has been removed from the failover relationship %2 with server %3 SETTING_MODIFICATION
20245 The failover configuration parameter MCLT for failover relationship %1 with server %2 has been changed from %3 seconds to %4 seconds SETTING_MODIFICATION
20246 The failover configuration parameter auto switch over interval for failover relationship %1 with server %2 has been changed from %3 seconds to %4 seconds SETTING_MODIFICATION
20247 The failover configuration parameter reserve address percentage for failover relationship %1 with server %2 has been changed from %3 to %4 SETTING_MODIFICATION
20248 The failover configuration parameter load balance percentage for failover relationship %1 with server %2 has been changed from %3 to %4 on this server SETTING_MODIFICATION
20249 The failover configuration parameter mode for failover relationship %1 with server %2 has been changed from hot standby to load balance SETTING_MODIFICATION
20250 The failover configuration parameter mode for failover relationship %1 with server %2 has been changed from load balance to hot standby SETTING_MODIFICATION
20251 The failover state of server: %1 for failover relationship: %2 changed from: %3 to %4 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20252 The failover state of server: %1 for failover relationship: %2 changed from: %3 to %4 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20253 The server detected that it is out of time synchronization with partner server: %1 for failover relationship: %2. The time is out of sync by: %3 seconds SYSTEM_AUDIT_LOG_UNCATEGORIZED
20254 Server has established contact with failover partner server %1 for relationship %2 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20255 Server has lost contact with failover partner server %1 for relationship %2 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
20256 Failover protocol message BINDING-UPDATE from server %1 for failover relationship %2 was rejected because message digest failed to compare SYSTEM_AUDIT_LOG_UNCATEGORIZED
20257 Failover protocol message BINDING-UPDATE from server %1 for failover relationship %2 was rejected because message digest was not configured SYSTEM_AUDIT_LOG_UNCATEGORIZED
20258 Failover protocol message BINDING-UPDATE from server %1 for failover relationship %2 is rejected because message digest was not present SYSTEM_AUDIT_LOG_UNCATEGORIZED
20259 The failover state of server: %1 for failover relationship: %2 changed to : %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20260 The failover state of server: %1 for failover relationship: %2 changed to: %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20261 Failover protocol message BINDING-ACK from server %1 for failover relationship %2 was rejected because message digest failed to compare SYSTEM_AUDIT_LOG_UNCATEGORIZED
20262 Failover protocol message BINDING-ACK from server %1 for failover relationship %2 was rejected because message digest was not configured SYSTEM_AUDIT_LOG_UNCATEGORIZED
20263 Failover protocol message BINDING-ACK from server %1 for failover relationship %2 is rejected because message digest was not present SYSTEM_AUDIT_LOG_UNCATEGORIZED
20264 Failover protocol message CONNECT from server %1 for failover relationship %2 was rejected because message digest failed to compare SYSTEM_AUDIT_LOG_UNCATEGORIZED
20265 Failover protocol message CONNECT from server %1 for failover relationship %2 was rejected because message digest was not configured SYSTEM_AUDIT_LOG_UNCATEGORIZED
20266 Failover protocol message CONNECT from server %1 for failover relationship %2 is rejected because message digest was not present SYSTEM_AUDIT_LOG_UNCATEGORIZED
20267 Failover protocol message CONNECTACK from server %1 for failover relationship %2 was rejected because message digest failed to compare SYSTEM_AUDIT_LOG_UNCATEGORIZED
20268 Failover protocol message CONNECTACK from server %1 for failover relationship %2 was rejected because message digest was not configured SYSTEM_AUDIT_LOG_UNCATEGORIZED
20269 Failover protocol message CONNECTACK from server %1 for failover relationship %2 is rejected because message digest was not present SYSTEM_AUDIT_LOG_UNCATEGORIZED
20270 Failover protocol message UPDREQALL from server %1 for failover relationship %2 was rejected because message digest failed to compare SYSTEM_AUDIT_LOG_UNCATEGORIZED
20271 Failover protocol message UPDREQALL from server %1 for failover relationship %2 was rejected because message digest was not configured SYSTEM_AUDIT_LOG_UNCATEGORIZED
20272 Failover protocol message UPDREQALL from server %1 for failover relationship %2 is rejected because message digest was not present SYSTEM_AUDIT_LOG_UNCATEGORIZED
20273 Failover protocol message UPDDONE from server %1 for failover relationship %2 was rejected because message digest failed to compare SYSTEM_AUDIT_LOG_UNCATEGORIZED
20274 Failover protocol message UPDDONE from server %1 for failover relationship %2 was rejected because message digest was not configured SYSTEM_AUDIT_LOG_UNCATEGORIZED
20275 Failover protocol message UPDDONE from server %1 for failover relationship %2 is rejected because message digest was not present SYSTEM_AUDIT_LOG_UNCATEGORIZED
20276 Failover protocol message UPDREQ from server %1 for failover relationship %2 was rejected because message digest failed to compare SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
20277 Failover protocol message UPDREQ from server %1 for failover relationship %2 was rejected because message digest was not configured SYSTEM_AUDIT_LOG_UNCATEGORIZED
20278 Failover protocol message UPDREQ from server %1 for failover relationship %2 is rejected because message digest was not present SYSTEM_AUDIT_LOG_UNCATEGORIZED
20279 Failover protocol message STATE from server %1 for failover relationship %2 was rejected because message digest failed to compare SYSTEM_AUDIT_LOG_UNCATEGORIZED
20280 Failover protocol message STATE from server %1 for failover relationship %2 was rejected because message digest was not configured SYSTEM_AUDIT_LOG_UNCATEGORIZED
20281 Failover protocol message STATE from server %1 for failover relationship %2 is rejected because message digest was not present SYSTEM_AUDIT_LOG_UNCATEGORIZED
20282 Failover protocol message CONTACT from server %1 for failover relationship %2 was rejected because message digest failed to compare SYSTEM_AUDIT_LOG_UNCATEGORIZED
20283 Failover protocol message CONTACT from server %1 for failover relationship %2 was rejected because message digest was not configured SYSTEM_AUDIT_LOG_UNCATEGORIZED
20284 Failover protocol message CONTACT from server %1 for failover relationship %2 is rejected because message digest was not present SYSTEM_AUDIT_LOG_UNCATEGORIZED
20285 An invalid cryptographic algorithm %1 was specified for failover message authentication in FailoverCryptoAlgorithm under registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\Failover. The operation is halted SYSTEM_AUDIT_LOG_UNCATEGORIZED
20286 BINDING UPDATE message for IP address %1 could not be replicated to the partner server %2 of failover relation %3 as the internal BINDING UPDATE queue is full SYSTEM_AUDIT_LOG_UNCATEGORIZED
20287 DHCP client request from %1 was dropped since the applicable IP address ranges in scope/superscope %2 are out of available IP addresses. This could be because of IP address ranges of a policy being out of available IP addresses SYSTEM_AUDIT_LOG_UNCATEGORIZED
20288 This DHCP server %1 has transitioned to a PARTNER DOWN state for the failover relationship %2 and the MCLT period of %3 seconds has expired. The server has taken over the free IP address pool of the partner server %4 for all scopes which are part of the failover relationship SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
20289 A BINDING-UPDATE message with transaction id: %1 was sent for IP address: %2 with binding status: %3 to partner server: %4 for failover relationship: %5 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20290 A BINDING-UPDATE message with transaction id: %1 was received for IP address: %2 with binding status: %3 from partner server: %4 for failover relationship: %5 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20291 A BINDING-ACK message with transaction id: %1 was sent for IP address: %2 with reject reason: (%3) to partner server: %4 for failover relationship: %5 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20292 A BINDING-ACK message with transaction id: %1 was received for IP address: %2 with reject reason: (%3 ) from partner server: %4 for failover relationship: %5 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20311 The shared secret for failover relationship %2 with server %1 has been changed SETTING_MODIFICATION
20312 Message authentication for failover relationship %2 with server %1 has been enabled SETTING_MODIFICATION
20313 Message authentication for failover relationship %2 with server %1 has been disabled SETTING_MODIFICATION
20315 DNSSuffix of scope %3 policy %2 was set to %1 SETTING_MODIFICATION
20316 DNSSuffix of server policy %2 was set to %1 SETTING_MODIFICATION
20317 SYSTEM_AUDIT_LOG_UNCATEGORIZED
20318 Forward record registration for IPv4 address %1 and FQDN %2 failed with error %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
20319 Forward record registration for IPv4 address %1 and FQDN %2 failed with error %3 (%4). SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
20320 PTR record registration for IPv4 address %1 and FQDN %2 failed with error %3. This is likely to be because the reverse lookup zone for this record does not exist on the DNS server SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
20321 PTR record registration for IPv4 address %1 and FQDN %2 failed with error %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
20322 PTR record registration for IPv4 address %1 and FQDN %2 failed with error %3 (%4). SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
20323 Forward record registration for IPv6 address %1 and FQDN %2 failed with error %3. This is likely to be because the forward lookup zone for this record does not exist on the DNS server SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
20324 Forward record registration for IPv6 address %1 and FQDN %2 failed with error %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
20325 Forward record registration for IPv6 address %1 and FQDN %2 failed with error %3 (%4) SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
20326 PTR record registration for IPv6 address %1 and FQDN %2 failed with error %3. This is likely to be because the reverse lookup zone for this record does not exist on the DNS server SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
20327 PTR record registration for IPv6 address %1 and FQDN %2 failed with error %3 SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.
20328 PTR record registration for IPv6 address %1 and FQDN %2 failed with error %3 (%4) SYSTEM_AUDIT_LOG_UNCATEGORIZED The UDM field is_alert is set to true.