Collect Windows DHCP and DNS Logs with Event Trace

This guide demonstrates how to configure the Windows Event Trace source in Bindplane to capture DHCP and DNS logs. The Windows Event Trace source reads events directly from Event Tracing for Windows (ETW) providers, enabling you to ingest logs that aren't written to standard event channels.

Prerequisites

• Bindplane collector version supporting the Windows Event Trace source (v1.75.0 or later)

• Administrative privileges on the Windows host

• The DHCP and DNS ETW providers enabled

Steps

1. Create or edit a configuration in Bindplane.

2. Add Source and select Windows Event Trace.

3. You may need to adjust the permissions on the Audit log DNS channel. You can do that by running:

   1. Copy

      wevtutil set-log "Microsoft-Windows-DNSServer/Audit" /e:true
      wevtutil sl "Microsoft-Windows-DNSServer/Audit" /ca:"O:BAG:BAD:(A;;0x1;;;SY)"

4. In the Providers field, specify the DHCP and DNS providers:

   1. Copy

      Microsoft-Windows-DHCP-Server

      Copy

      Microsoft-Windows-DNSServer

5. Configure other fields as needed (such as Session Name or Level). The defaults typically work for most environments.

6. Save the configuration and apply it to a collector running in Windows.

7. Roll out the configuration. Once the collector loads the new config, DHCP and DNS events will appear in your destination platform.

For reference, the provider names above can be verified on the Windows host by running:

Troubleshooting

If logs are not appearing:

• Ensure the collector service account has permission to create ETW sessions.

• Confirm the provider names are correct and available on the host with logman query providers.

• Review the collector logs for errors related to ETW session creation.

For more details on the source fields, see the Windows Event Trace source documentation.