IPAM Events introduction
The third interesting thing we can do in the IPAM console is to view Events of different types. Just click on EVENT CATALOG and you will see the 3 categories of events in the lower menu pane.
The 3 event types are:
- IPAM Configuration Events: You can see what configuration chages have been done to the IPAM server and also events related to IP addresses.
- DHCP Configuration Events: In this pane you will be able to see what changes have been made to the DHCP servers like scopes, configurations, reservations and more
- IP Address Tracking: You will see events about IP addresses selected by IP, MAC and host name. This pane contains events that show logons searchable by user name
IPAM Configuation Events
You wil be able to see events related to configurations applied to the IPAM servers. This includes adding address ranges, scopes, changing settings, adding addresses, and much more. Let’s look at some examples.
You can see events related to server management and discovery:
Adding address blocks creates also events. The same goes for creating addresses.
Updates you make to DHCP from IPAM are also logged.
In case you want to find an event from a specific category then you can filter them. Just expand the main pane to reveal the Add criteria button.
Expand the criteria list and choose one or more. Let’s pick Task Category and enter for example Multi-Server Management in the text box. After you click search the events have been filtered.
DHCP Configuration Events
The events you can find in this part are all about DHCP. When you create a scope or change a setting an event is created with what was done. For example setting the lease duration creates an event with the exact information that was changed.
Of course you can filter these events also in the same way as the previous category.
IP Address and Logon Events
Probably the most interesting part of the events are the ones about IP Address tracking and also account logons. This means that you will be able to see which host got which IP and when a specific account authenticated to the domain.
There are 4 criteria usable to search for events:
- IP Address
- Host ID (MAC Address)
- Host name
- User name
If you need to search for events by IP address just click on that specific tab, enter the IP address and also a time interval. All events between the 2 periods and which are related to that IP will be found.
Searching by MAC or by Host name is exactly the same. Just put in the info and the events will be retrieved. Filterig by User name is done also in the same way but the interesting thing is that you will get events about Authentication on the domain for that user with date, time and host on which the event occured. Let’s try for Administrator:
Other types of events are also retrieved, of course, but I think these are the most interesting.
IPAM Events purge
In case you have IPAM installed on Windows Server 2016 you have the ability to delete old events directly from the IPAM interface. The older versions of Windows did not provide this functionality. This action is useful if the database gets too big and you need to delete some data.
I order to purge old events just select Purge event catalog data from the TASKS drop down, select the event types to target and set a date. All events older than or with the same date will be deleted.
After you do this task and check the IP Address tracking events everything older than that date should be gone.