Monitor DHCP Discover

Tim Peiffer peiffer at umn.edu
Thu Jun 18 14:24:58 UTC 2009 

pat wrote:
> DHCP server doesn't hold a MIB to quer via snmp.
>  
> Regards
> Pat
I don't understand your question. 

Your statement is correct in that the DHCP server doesn't have a MIB to 
query.  But if you use the logfiles produced by DHCP syslog traps you 
can offload the DHCP server of doing event managment.

Event management was not something that was spec'ed into the DHCP 
server, so it is probably unfair to ask it to do so.  By using an event 
correlator, you can get the job of event managment done.  The process is 
service agnostic.. Given something to build regular expressions, nearly 
any log can be parsed, so you should be able to look at any service 
(DHCP, DNS, Radius, ....).

By using an event correlator, you have enough to work with and you can 
do what 'Red1' asks.  As event correlators go,  SEC is fast, SEC is 
flexible, SEC is free, SEC is able to monitor nearly *any* log format.  
SEC is easy, or as complex as you wish to make it.

Regards,
Tim Peiffer

>
> On Tue, Jun 2, 2009 at 4:48 PM, Tim Peiffer <peiffer at umn.edu 
> <mailto:peiffer at umn.edu>> wrote:
>
>     red1 red wrote:
>     > Dear ISC Members;
>     >
>     > I'm using ISC DHCP v4.0.0/ OS: Redhat , I'd like to configure DHCP
>     > Server to send notification (snmp trap or whatever) if it hasn't
>     > received any DHCP DISCOVER since specific time (eg 30 seconde
>     ago ) or
>     > if DHCP DISCOVER rate go less than a specefic threshold (eg
>      Less than
>     > 20 Discovers/minute)
>     >
>     >
>     > Is it doable ?? Please advise.
>
>     Please look at the simple event correlator SEC by Risto Virandi.
>      It is
>     on the sourceforge.  It is flexible and can be configured to parse and
>     act on nearly any log format.  The user forum is pretty active and
>     has a
>     pretty high signal to noise ratio.  I use the tool extensively.
>     Also look at John Rouillard and John Brown's white papers.  They are
>     informative reading.
>
>     http://www.google.com/search?client=safari&rls=en-us&q=simple+event+correlator&ie=UTF-8&oe=UTF-8
>     <http://www.google.com/search?client=safari&rls=en-us&q=simple+event+correlator&ie=UTF-8&oe=UTF-8>
>
>     SEC - open source and platform independent event correlation tool ->
>     http://www.estpak.ee/~risto/sec/
>     SourceForge.net
>     <http://www.estpak.ee/%7Eristo/sec/SourceForge.net>: Simple Event
>     Correlator ->
>     http://sourceforge.net/projects/simple-evcorr/
>
>     Regards,
>     Tim Peiffer
>     Network Support Engineer
>     Office of Information Technology / OIA
>     University of Minnesota / NorthernLights GigaPOP
>
>     >
>     > Thanks in advance
>     > Red1
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > dhcp-users mailing list
>     > dhcp-users at lists.isc.org <mailto:dhcp-users at lists.isc.org>
>     > https://lists.isc.org/mailman/listinfo/dhcp-users
>
>     _______________________________________________
>     dhcp-users mailing list
>     dhcp-users at lists.isc.org <mailto:dhcp-users at lists.isc.org>
>     https://lists.isc.org/mailman/listinfo/dhcp-users
>
>


-- 
Tim Peiffer
Network Support Engineer
Office of Information Technology
University of Minnesota/NorthernLights GigaPOP

More information about the dhcp-users mailing list