Linux dhcpd is a linux daemon that implements the Dynamic Host Configuration Protocol (DHCP) and the Internet Bootstrap Protocol (BOOTP). DHCP allows hosts on a TCP/IP network to request and be assigned IP addresses, and also to discover information about the network to which they are attached.
The purpose of this rule is to parse the DHCP client device type
from the DHCP assignment (
Log Source Details
|Vendor||any linux distribution|
|Device Type||linux OS|
|Supported Software Version(s)||dhcpd servers (tested on
|Configurable Log Output?||no|
|Log Source Type||linux syslog|
Currently Supported Log Types
The log format is a standard linux kernel syslog log message. The message itself consists of a terse readable phrase explaining the DHCP operation occurring, client device information, and IP addresses involved (see below for log samples). There are no key-value pairs, delimited fields, or fixed-position fields.
Parsed Metadata Fields
The only field parsed from the dhcpd messages is the client device type.
Currently the only messages of interest are
DHCPACK messages, corresponding
to DHCP IP address assignment. The messages themselves consist of:
The only user tag is
DHCP Client Type which is set to the value of
<client device type> as illustrated in the description above.
High-Cardinality (HC) Tags
The number of unique client device types is expected to be within the acceptable range of "normal" cardinality, thus marking it as high-cardinality is unnecessary.
Successful DHCP IP address assignment response