Collect Windows DHCP and DNS Logs with Event Trace

Example configuration steps for capturing Windows DHCP and DNS logs using the Windows Event Trace (ETW) source.

This guide demonstrates how to configure the Windows Event Trace source in Bindplane to capture DHCP and DNS logs. The Windows Event Trace source reads events directly from Event Tracing for Windows (ETW) providers, enabling you to ingest logs that aren't written to standard event channels.

Prerequisites

Bindplane collector version supporting the Windows Event Trace source (v1.75.0 or later)
Administrative privileges on the Windows host
The DHCP and DNS ETW providers enabled

note

The Windows Event Trace source is experimental and may impact system performance if too many providers are enabled. Start with the minimal providers necessary for your use case.

Steps

Create or edit a configuration in Bindplane.
Add Source and select Windows Event Trace.
In the Providers field, specify the DHCP and DNS providers:
Microsoft-Windows-DHCP-Server Microsoft-Windows-DNS-Server
Configure other fields as needed (such as Session Name or Level). The defaults typically work for most environments.
Save the configuration and apply it to a collector running in Windows.
Roll out the configuration. Once the collector loads the new config, DHCP and DNS events will appear in your destination platform.

For reference, the provider names above can be verified on the Windows host by running:

powershell

1logman query providers Microsoft-Windows-DHCP-Server
2logman query providers Microsoft-Windows-DNS-Server

Troubleshooting

If logs are not appearing:

Ensure the collector service account has permission to create ETW sessions.
Confirm the provider names are correct and available on the host with logman query providers.
Review the collector logs for errors related to ETW session creation.

For more details on the source fields, see the Windows Event Trace source documentation.

Updated 9 days ago