Tracking historical logs in SIEM

We often have incidents that are reported for whatever reason after the DHCP lease has expired and the host has received a new IP address. For whatever reason, the host name isn't captured when its reported to the SIEM. 
What are some solutions you have seen used to track the historical IP address of a device when we might not have the host name? 
This seems like a common issue but I haven't seen any one method that works for all organizations. 
DHCP can be received from a network device or Microsoft Windows DHCP server so is the answer to track locally and send that information to SYSLOG?

Whatever your DHCP sources are, make sure you log them all, for all networks in scope. Make sure your log source timestamps reconcile with a common NTP source, and take in to account your various timezones if your network locations span multiple geographic regions.