From 19d0b2db3effbea23881dca24ba2b2afe9692e5f Mon Sep 17 00:00:00 2001
From: a3ilson <a@3ilson.com>
Date: Thu, 2 Nov 2017 18:56:26 -0400
Subject: [PATCH] Create 20-dhcp.conf

---
 20-dhcp.conf | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 20-dhcp.conf

diff --git a/20-dhcp.conf b/20-dhcp.conf
new file mode 100644
index 0000000..9e29f7c
--- /dev/null
+++ b/20-dhcp.conf
@@ -0,0 +1,22 @@
+filter {             
+  grok {
+    match => [ "message", "rule (?<rule>.*)\(.*\): (?<action>pass|block) (?<direction>in|out).* on (?<iface>.*): .* proto (?<proto>TCP|UDP|IGMP|ICMP) .*\n\s*(?<src_ip>(\d+\.\d+\.\d+\.\d+))\.?(?<src_port>(\d*)) [<|>] (?<dest_ip>(\d+\.\d+\.\d+\.\d+))\.?(?<dest_port>(\d*)):" ]
+        }
+          if [prog] =~ /^dhcpd$/ {
+          if [message] =~ /^DHCPACK|^DHCPREQUEST|^DHCPOFFER/ {
+   grok {
+      match => [ "message", "(?<action>.*) (on|for|to) (?<src_ip>[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]) .*(?<mac_address>[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]).* via (?<iface>.*)" ]
+        }
+      }
+  if [message] =~ /^DHCPDISCOVER/ {
+    grok {
+      match => [ "message", "(?<action>.*) from (?<mac_address>[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]).* via (?<iface>.*)" ]
+          }
+        }
+  if [message] =~ /^DHCPINFORM/ {
+    grok {
+       match => [ "message", "(?<action>.*) from (?<src_ip>.*).* via (?<iface>.*)" ]
+         }
+      }
+   }
+}  
-- 
GitLab