I thought it would be easy to find a tool that would monitor my Windows DHCP server database and alert on leases to new MAC addresses. I'm finding that not so easy. As I thought about it, I thought it might be better to focus on reading the ARP table in my 6509 switch. Are there any tools that will allow this? Is ARP a better option?
I don't believe watching the arp table is going to be the way to go here. You won't be able to differentiate from dhcp assigned addresses vs statically assigned addresses that just happened to be configured without you knowing. Then there's the whole cross referencing if you were to get an alert with the dhcp server to see if it assigned it, and if not, then you just have to track it down.
I'd suggest possibly configuring dhcp snooping and then watch that database instead. Technically, you could create an eem script to watch the database for new additions/removals and send an email based on what you see in the database. I don't have a script to do this, but I could see it being able to be done.