Dnsmasq
Linux dnsmasq is a linux daemon that provides a DNS server, a DHCP server, and a TFTP server. For purposes of this app only the DHCP server operation is of interest.
Rule Function
The purpose of this rule is to parse the assigned IP address and assigned
hostname from the DHCP assignment (DHCPACK) messages.
Vendor Documentation
Log Source Details
| Item | Value |
|---|---|
| Vendor | any linux distribution |
| Device Type | linux OS |
| Supported Software Version(s) | all |
| Collection Method | Syslog |
| Configurable Log Output? | no |
| Log Source Type | linux syslog |
| Exceptions | N/A |
Log Types
The log format is a standard linux kernel syslog log message. The message itself consists of space separated fields indicating:
- The DHCP operation occurring
- Network interface
- IP address
- MAC address
- Hostname
Parsed Metadata Fields
The fields parsed from the dnsmasq messages are: the assigned IP address, and the assigned hostname.
The user tags set are:
DNSmasq DHCP Assigned IP- set to<IP address>aboveDNSmasq DHCP Assigned Hostname- set to<hostname>aboveDNSmasq DHCP IP -> Hostname- set to<IP address> -> <hostname>
High-Cardinality (HC) Tags
The number of both unique DHCP IP addresses available to be assigned, and the unique hostnames to accompany those IP addresses, are expected to be within normal cardinality limits. Therefore designating any tags as high-cardinality is unnecessary. There are none.
Log Examples
Successful DHCP IP address assignment response