# Collect Windows DHCP and DNS Logs with Event Trace This guide demonstrates how to configure the **Windows Event Trace** source in Bindplane to capture DHCP and DNS logs. The Windows Event Trace source reads events directly from [Event Tracing for Windows (ETW)](https://learn.microsoft.com/en-us/windows-hardware/test/weg/instrumenting-your-code-with-etw) providers, enabling you to ingest logs that aren't written to standard event channels. ### Prerequisites * Bindplane collector version supporting the Windows Event Trace source (v1.75.0 or later) * Administrative privileges on the Windows host * The DHCP and DNS ETW providers enabled {% hint style="info" %} **NOTE** The Windows Event Trace source may impact system performance if too many providers are enabled. Start with the minimal providers necessary for your use case. You may need to adjust the configuration if you are sending a large amount of data. {% endhint %} ### Steps 1. **Create or edit a configuration** in Bindplane. 2. **Add Source** and select **Windows Event Trace**. 3. You may need to adjust the permissions on the Audit log DNS channel. You can do that by running: 1. ``` wevtutil set-log "Microsoft-Windows-DNSServer/Audit" /e:true wevtutil sl "Microsoft-Windows-DNSServer/Audit" /ca:"O:BAG:BAD:(A;;0x1;;;SY)" ``` 4. In the **Providers** field, specify the DHCP and DNS providers: 1. ``` Microsoft-Windows-DHCP-Server ``` ``` Microsoft-Windows-DNSServer ``` 5. Configure other fields as needed (such as `Session Name` or `Level`). The defaults typically work for most environments. 6. **Save** the configuration and apply it to a collector running in Windows. 7. **Roll out** the configuration. Once the collector loads the new config, DHCP and DNS events will appear in your destination platform. For reference, the provider names above can be verified on the Windows host by running: ```powershell logman query providers Microsoft-Windows-DHCP-Server logman query providers Microsoft-Windows-DNSServer ``` ### Troubleshooting If logs are not appearing: * Ensure the collector service account has permission to create ETW sessions. * Confirm the provider names are correct and available on the host with `logman query providers`. * Review the collector logs for errors related to ETW session creation. For more details on the source fields, see the [Windows Event Trace source documentation](/integrations/sources/windows-event-trace-etw.md). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bindplane.com/how-to-guides/data-collection-and-processing/collect-windows-dhcp-and-dns-logs-with-event-trace.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.