Recently, I was asked about monitoring Microsoft DHCP IP Address Pools using Log Insight to alert when the pool was exhausted and DHCP requests were failing. There are a couple ways to do this, but I’d like to cover two as a demonstration of getting a bit fancy with your alert queries and it paying off big time!
First off, Microsoft DHCP Servers write their events to a log file – at the end of the day…. so we can parse that file for an Event ID of 14 to see when we ran out. This is easy to do as shown below using Event ID 11 (DHCP Renew) as an example. The regex is simple but unfortunately we get the information way too late!
Enter the Log Insight Agent’s ability to read Windows Event Logs! As your DHCP Server starts running low on available addresses in a certain pool it starts to throw warnings in the System Event Log with an Event ID of 1376 that state what percent is currently used and how many addresses are still available.
It would be really cool if we could have Log Insight fire off an alert if these messages showed that we were above 90% used, right? But it’s text… how do we do math on text in log messages? The good news is that not only can you accomplish this; it’s easy to do!
First off, we need to create an Extracted Field that allows us to treat the value of percentage used as an integer. Simply highlight the number and select “Extract Field”