diff --git a/20-dhcp.conf b/20-dhcp.conf
new file mode 100644
index 0000000000000000000000000000000000000000..9e29f7cb2e4a9168f5bf2093c66cdd504cb1a71b
--- /dev/null
+++ b/20-dhcp.conf
@@ -0,0 +1,22 @@
+filter {             
+  grok {
+    match => [ "message", "rule (?<rule>.*)\(.*\): (?<action>pass|block) (?<direction>in|out).* on (?<iface>.*): .* proto (?<proto>TCP|UDP|IGMP|ICMP) .*\n\s*(?<src_ip>(\d+\.\d+\.\d+\.\d+))\.?(?<src_port>(\d*)) [<|>] (?<dest_ip>(\d+\.\d+\.\d+\.\d+))\.?(?<dest_port>(\d*)):" ]
+        }
+          if [prog] =~ /^dhcpd$/ {
+          if [message] =~ /^DHCPACK|^DHCPREQUEST|^DHCPOFFER/ {
+   grok {
+      match => [ "message", "(?<action>.*) (on|for|to) (?<src_ip>[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]) .*(?<mac_address>[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]).* via (?<iface>.*)" ]
+        }
+      }
+  if [message] =~ /^DHCPDISCOVER/ {
+    grok {
+      match => [ "message", "(?<action>.*) from (?<mac_address>[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]).* via (?<iface>.*)" ]
+          }
+        }
+  if [message] =~ /^DHCPINFORM/ {
+    grok {
+       match => [ "message", "(?<action>.*) from (?<src_ip>.*).* via (?<iface>.*)" ]
+         }
+      }
+   }
+}