Skip to content

Linux dhcpd

Linux dhcpd is a linux daemon that implements the Dynamic Host Configuration Protocol (DHCP) and the Internet Bootstrap Protocol (BOOTP). DHCP allows hosts on a TCP/IP network to request and be assigned IP addresses, and also to discover information about the network to which they are attached.

Rule Function

The purpose of this rule is to parse the DHCP client device type from the DHCP assignment (DHCPACK) messages.

Vendor Documentation

Log Source Details

Item Value
Vendor any linux distribution
Device Type linux OS
Supported Software Version(s) dhcpd servers (tested on isc-dhcp-server)
Collection Method Syslog
Configurable Log Output? no
Log Source Type linux syslog
Exceptions N/A

Currently Supported Log Types

The log format is a standard linux kernel syslog log message. The message itself consists of a terse readable phrase explaining the DHCP operation occurring, client device information, and IP addresses involved (see below for log samples). There are no key-value pairs, delimited fields, or fixed-position fields.

Parsed Metadata Fields

The only field parsed from the dhcpd messages is the client device type. Currently the only messages of interest are DHCPACK messages, corresponding to DHCP IP address assignment. The messages themselves consist of:

DHCPACK on <ip addr> to <mac addr> (<client device type>) via interface)

The only user tag is DHCP Client Type which is set to the value of <client device type> as illustrated in the description above.

High-Cardinality (HC) Tags

The number of unique client device types is expected to be within the acceptable range of "normal" cardinality, thus marking it as high-cardinality is unnecessary.

Log Examples

Successful DHCP IP address assignment response

DHCPACK on to 08:00:27:61:76:cd (VirtualBox) via enp0s3