From 19d0b2db3effbea23881dca24ba2b2afe9692e5f Mon Sep 17 00:00:00 2001 From: a3ilson <a@3ilson.com> Date: Thu, 2 Nov 2017 18:56:26 -0400 Subject: [PATCH] Create 20-dhcp.conf --- 20-dhcp.conf | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 20-dhcp.conf diff --git a/20-dhcp.conf b/20-dhcp.conf new file mode 100644 index 0000000..9e29f7c --- /dev/null +++ b/20-dhcp.conf @@ -0,0 +1,22 @@ +filter { + grok { + match => [ "message", "rule (?<rule>.*)\(.*\): (?<action>pass|block) (?<direction>in|out).* on (?<iface>.*): .* proto (?<proto>TCP|UDP|IGMP|ICMP) .*\n\s*(?<src_ip>(\d+\.\d+\.\d+\.\d+))\.?(?<src_port>(\d*)) [<|>] (?<dest_ip>(\d+\.\d+\.\d+\.\d+))\.?(?<dest_port>(\d*)):" ] + } + if [prog] =~ /^dhcpd$/ { + if [message] =~ /^DHCPACK|^DHCPREQUEST|^DHCPOFFER/ { + grok { + match => [ "message", "(?<action>.*) (on|for|to) (?<src_ip>[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]) .*(?<mac_address>[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]).* via (?<iface>.*)" ] + } + } + if [message] =~ /^DHCPDISCOVER/ { + grok { + match => [ "message", "(?<action>.*) from (?<mac_address>[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]).* via (?<iface>.*)" ] + } + } + if [message] =~ /^DHCPINFORM/ { + grok { + match => [ "message", "(?<action>.*) from (?<src_ip>.*).* via (?<iface>.*)" ] + } + } + } +} -- GitLab