Configuring DHCP Activity - BlueCat Integrity - 9.5.0

The following section outlines the steps to configure DHCP Activity.

1. From the configuration drop-down menu, select a configuration.
2. Select the Servers tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
3. Under Servers, click the name of a BDDS. The Details tab for the server opens.
4. Click the server name menu and select Service Configuration.
5. From the Service Type drop-down menu, select DHCP Activity under the Health Telemetry section. Address Manager queries the server and returns the current values for the service settings.
6. Under General Settings, set the following parameters:
   • Enable DHCP Activity—select this check box to enable DHCP Activity service; deselect this check box to disable DHCP Activity service.
     Note: When you enabled DHCP Activity, the firewall rules on the DNS/DHCP Server are modified to allow egress to the specified URI endpoint. Outbound traffic is allowed for the specified IP address.
   • Under Protocols, select the DHCPv4 check box to retrieve DHCPv4 activity information or select the DHCPv6 check box to retrieve DHCPv6 activity information.
   • Output Type—select where the DHCP Activity data will be logged. You can log data to an HTTP endpoint, Splunk server, Kafka cluster, or Elasticsearch server.
     If you select HTTP, the following fields appear:

     • Output URI—enter the URI of the HTTP endpoint that will be consuming the DHCP packet information.
       Note:

       • BlueCat recommends entering the IP address of the endpoint in this field. If you are entering a hostname, you must use a different DNS server as the resolver for that host. The DNS/DHCP server you are configuring DHCP activity on can still be used as a resolver for clients, but cannot be used as a resolver for its own OS related lookups.
       • If the domain name is used in the URI, you must ensure that the domain name can be resolved on the DNS/DHCP Server.
       • The URI for the Output URI field must follow the format outlined in RFC2396.
     • Bearer Token (Optional)—enter the bearer token used to authenticate with the HTTP endpoint.
     • Healthcheck—select this check box to enable health check service; deselect this check box to disable health check service. Upon initialization, the healthcheck ensure that the downstream service is accessible and can accept the DHCP packet data.
     • Healthcheck URI—enter the URI of the HTTP endpoint that will be consuming the health check information.
       Note: The URI for the Healthcheck URI field must follow the format outlined in RFC2396.
     If you select Splunk, the following fields appear:

     • Host—enter the URI of the Splunk HEC host. The standard format of the HEC URI in Splunk Enterprise is as follows:

       <protocol>://<FQDN or IP address of the host only>:<port>

       Note:

       • BlueCat recommends entering the IP address of the endpoint in this field. If you are entering a hostname, you must use a different DNS server as the resolver for that host. The DNS/DHCP server you are configuring DHCP activity on can still be used as a resolver for clients, but cannot be used as a resolver for its own OS related lookups.
       • If the domain name is used in the URI, you must ensure that the domain name can be resolved on the DNS/DHCP Server.
       • Ensure that the HEC URI format is followed exactly as described above without adding or omitting any pieces. The port is required, even if default. Do not include extra slashes or folders in the URI.
       • The URI for the Host field must follow the format outlined in RFC2396.
     • Token—enter the Splunk HEC token.
     • Healthcheck—select this check box to enable health check service; deselect this check box to disable health check service. Upon initialization, the healthcheck ensures that the downstream service is accessible and can accept the DHCP packet data.
       Note: When selecting this check box, the DNS/DHCP Server uses the default Splunk healthcheck endpoint at /services/collector/health/1.0.
     If you select Kafka, the following fields appear:

     • Topic—enter the name of the Kafka topic to write events to.
     • Bootstrap Servers—enter a comma-separated list of host and port pairs that are the addresses of the Kafka brokers in a “bootstrap” Kafka cluster that a Kafka client connects to initially to bootstrap itself. This field supports IPv4, IPv6 and FQDN values.

       Example: 10.14.22.123:9092,10.14.23.332:9092

       Note:

       • BlueCat recommends using IP addresses in this field. If you are entering a hostname, you must use a different DNS server as the resolver for that host. The DNS/DHCP server you are configuring DHCP activity on can still be used as a resolver for clients, but cannot be used as a resolver for its own OS related lookups.
       • Do not include http or https in the addresses of the Kafka brokers.
       • If a domain name is used, you must ensure that the domain name can be resolved on the DNS/DHCP Server.
     • Key Field (Optional)—enter the log field name or tags key to use for the topic key. If the field does not exist in the log or in tags, a blank value will be used. If unspecified, the key is not sent. Kafka uses a hash of the key to choose the partition or uses round-robin if the record has no key.
     • Healthcheck—select this check box to enable health check service; deselect this check box to disable health check service. Upon initialization, the healthcheck ensures that the downstream service is accessible and can accept the DHCP packet data.
       Note: The health check URI is configured based on the Kafka Broker address.
     If you select Elasticsearch, the following fields appear:

     • Endpoint—enter the Elasticsearch endpoint to send logs to. This field supports IPv4, IPv6, and FQDN values.

       Example: http://10.24.32.122:9000

       Example: https://example.com

       Example: https://user:password@example.com

       Note:

       • BlueCat recommends using the IP address of the endpoint in this field. If you are entering a hostname, you must use a different DNS server as the resolver for that host. The DNS/DHCP server you are configuring DHCP activity on can still be used as a resolver for clients, but cannot be used as a resolver for its own OS related lookups.
       • If the domain name is used, you must ensure that the domain name can be resolved on the DNS/DHCP Server.
     • Index—enter Elasticsearch index name to write events to.
     • User—enter the basic authentication user name.
     • Password—enter the basic authentication password.
     • Healthcheck—select this check box to enable health check service; deselect this check box to disable health check service. Upon initialization, the healthcheck ensures that the downstream service is accessible and can accept the DHCP packet data.
       Note: The health check URI is configured based on the Elasticsearch instance.
   • TLS Options—select this check box to configure TLS options.
     Attention: If you enter a HTTPS endpoint in the Output URI, Healthcheck URI, Host, Bootstrap Servers, or Endpoint field when configuring output, you must select this check box and enter TLS information.
     • Under CA Certificate Upload, click Browse and locate the CA certificate used to verify server certificate during TLS handshake.
       Note: The file must be in PEM format.
     • Click Upload to upload the CA certificate.
     • Select the Verify Certificate check box to force verification of the server certificate during the TLS handshake using the CA certificate that was entered.
     • Select the Verify Hostname check box to validate the hostname part of the URI against the CN (Common Name) or SAN (Subject Alternative Name) of the server certificate during the TLS handshake.
7. Under Buffer, set the following parameter:
   • Max Events—enter the maximum number of DHCP events to be stored in the memory buffer of the DNS/DHCP Server. The maximum value is 188,235,000 events.
8. Click Update.
   If you do not have DHCP service deployed to the DNS/DHCP Server, after you click Update, you must perform a DHCP deployment on the DNS/DHCP Server for DHCP Activity events to be generated. If DHCP service is already configured on the DNS/DHCP Server, the DHCP Activity service is enabled upon clicking Update.

   Under DHCP Activity Status, you can verify whether the DHCP Activity log service is running on the DNS/DHCP Server.

   The service batches data that is sent to the configured destination. Batches are flushed from the system and sent to the configured destination when the age of the batch reaches 1 second, or when the size of the batch reaches 1049000 bytes.

   If the service receives an HTTP response status code of 429 or greater than 500 except for 501, the service attempts to retry sending the failed request 5 times. If the service still cannot send the failed request after 5 attempts, the event message is dropped and an error message is logged.