DHCP audit log paused

By | June 12, 2015

How to fix a problem with Windows 2012 R2 DHCP audit stuck in paused mode.

The DHCP service writes only a single line into the log file:

“Audit Log Paused”

dhcp-audit-4

A customer running Windows 2012 R2 DHCP had issues with the DHCP logging. No other lines were written than the notification that the auditing was paused.

E.g.: 02,06/12/15,14:19:38,Audit Log Paused,,,,,0,6,,,,,,,,,0

dhcp-audit-5

Logging was in fact enabled on the IPv4 scopes as above.

It is often very important for organizations to be able to backtrack DHCP leases to computers/devices for specific time and dates, so highly recommended to enable this setting. The DHCP logs do not go into the main Windows Event Viewer logfiles, but are text files by default placed into C:\Windows\System32\DHCP folder.

dhcp-audit-6

To help readability of the logfiles the logs were relocated from the default C:\Windows\System32\DHCP to a separate partition and folder, in this case D:\DHCP-logfiles.

dhcp-audit-3

The ACL on the DHCP log folder shows that the correct permissions has been automatically set. The DHCP service could write into the log file – so there should be no permission problem.

Still only the line with DHCP event id 02 and “audit log paused” was written. Restart of the DHCP service did not help.

A Microsoft Knowledge Base article claimed that event id 02 with paused DHCP logging could be caused by low disk space. The partition at the DHCP server had in fact large amounts of free space, but this was actually misread by the DCHP audit logging.

dhcp-audit-2

The reason for this was non default ACL on the root of the D: partition. The access control entries for groups like “Everyone” and “Users” had been removed earlier to increase the access security in the root folder.

This caused the DHCP service to not be able to verify the amount of free space and incorrectly assumed this was due to low disk space.

dhcp-audit-7

By adding the DHCP service (NT SERVICE\DHCPServer) with read access in the root of the partition the service could now determine the free space.

After this the DHCP audit logging was working correctly.

4 thoughts on “DHCP audit log paused

  1. B.Danunjaya

    I am using win server2003 service pack2!!!, I am able to get DHCP log file daily up to 10243 Kb(10Mbps) only!!, after reaching this space logs will stopped daily!! , is there any limit in DHCP logs??, is there any possible to get total day logs?? (due to this error we are getting some of hours data only)
    we have space in C drive and D drive (Logs will saved in C drive)…….

    error code::02,07/06/16,04:37:35,Audit Log Paused,,,,

    Reply
    1. Mahmoud Ghanem

      try to increase maximum log file size for dhcp log
      windows
      regedit
      In the registry tree, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\DHCPServer\Parameters
      try to increse the number from 46 to 300 and see if this resolves the issue.

      Reply
    2. danunjaya

      It’s working after adding.

      Need to restart server after changing.

      Reply
  2. Danunajya

    Hi,
    I want to add more IP pools in dhcp server, now i am using 10pools i want to add more pools
    how to add this pools in dhcp server
    now using 172.16.0.1/23,172.16.2.1/23 to 172.16.20.1/23

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *