Linux dhcpd
Linux dhcpd is a linux daemon that implements the Dynamic Host Configuration Protocol (DHCP) and the Internet Bootstrap Protocol (BOOTP). DHCP allows hosts on a TCP/IP network to request and be assigned IP addresses, and also to discover information about the network to which they are attached.
Rule Function
The purpose of this rule is to parse the DHCP client device type
from the DHCP assignment (DHCPACK) messages.
Vendor Documentation
Log Source Details
| Item | Value |
|---|---|
| Vendor | any linux distribution |
| Device Type | linux OS |
| Supported Software Version(s) | dhcpd servers (tested on isc-dhcp-server) |
| Collection Method | Syslog |
| Configurable Log Output? | no |
| Log Source Type | linux syslog |
| Exceptions | N/A |
Currently Supported Log Types
The log format is a standard linux kernel syslog log message. The message itself consists of a terse readable phrase explaining the DHCP operation occurring, client device information, and IP addresses involved (see below for log samples). There are no key-value pairs, delimited fields, or fixed-position fields.
Parsed Metadata Fields
The only field parsed from the dhcpd messages is the client device type.
Currently the only messages of interest are DHCPACK messages, corresponding
to DHCP IP address assignment. The messages themselves consist of:
The only user tag is DHCP Client Type which is set to the value of
<client device type> as illustrated in the description above.
High-Cardinality (HC) Tags
The number of unique client device types is expected to be within the acceptable range of "normal" cardinality, thus marking it as high-cardinality is unnecessary.
Log Examples
Successful DHCP IP address assignment response