DHCP log analysis software ?
Gordon A. Lang
glang at goalex.com
Sat Jun 18 23:09:16 UTC 2011
Thanks for the feedback.
I do already use syslog-ng, which can help, but the analysis I am wanting is
for making graphs and statistical reports based scopes of interest that are
not known in advance, and so I always want to log all DHCP activity, and
then extract the interesting cross section after the fact, and then produce
reports and graphs from it.
--
Gordon A. Lang
----- Original Message -----
From: "Randy Gordey" <gordey at stdio.com>
To: "'Users of ISC DHCP'" <dhcp-users at lists.isc.org>
Sent: Saturday, June 18, 2011 4:57 PM
Subject: RE: DHCP log analysis software ?
> Hoping to cut down on some of your coding and debugging time... I use
> syslog-ng to parse DHCP messages out of /var/log/messages and either
> forward
> them to my central logging server or at the log server put them in
> /var/log/dhcpd.log. One file to examine. You could also put all logs in a
> sub directory by machine like /var/log/dhcp/192.168.1.1.dhcp.log with
> syslog-ng just as easy.
>
> -----Original Message-----
> From: dhcp-users-bounces+gordey=stdio.com at lists.isc.org
> [mailto:dhcp-users-bounces+gordey=stdio.com at lists.isc.org] On Behalf Of
> Gordon A. Lang
> Sent: Saturday, June 18, 2011 8:08 AM
> To: dhcp-users at isc.org
> Subject: DHCP log analysis software ?
>
> I was thinking about writing a program to analyze my DHCP logs.
> I think it was be very useful to have a filter program that accepts
> a raw syslog stream that includes messages from all servers of
> interest, collects and normalizes the DHCP messages, selects
> interesting messages using a regular expression, and provides
> a set of parameters every <n> seconds. The set of parameters
> would include:
> 1. Number of DISCOVER's
> 2. Number of REQUEST's
> 3. Number of OFFER response times less than <t1>
> 4. Number of OFFER response times between <t1> and <t2>
> 5. Number of OFFER response times between <t2> and <t3>
> 6. Number of OFFER response times greater than <t3>
> 7. Number of ACK response times less than <t4>
> 8. Number of ACK response times between <t4> and <t5>
> 9. Number of ACK response times between <t5> and <t6>
> 10. Number of ACK response times greater than <t6>
>
> I am picturing the output of the filter could be fed into another
> filter that could produce moving averages of DISCOVER and
> REQUEST rates as well as moving averages of each of the
> four response time occurrence rates for OFFER's and ACK's.
>
> I would also like to see the filter use knowledge about the failover
> pairs and pool associations for each to report events on a per
> pool basis -- things like pool depletion, excessive pool
> balancing, persisting pool imbalance, broadcast packets going
> to one server but not the other, packets going to the wrong server,
> server providing responses when the response was supposed
> to come from its partner, and whatever else.
>
> But it occurred to me that there is probably something out there
> already written and debugged, so why reinvent the wheel? And
> besides, a program like this would take a lot more time than I
> have available right now, and I could really use something today.
>
> Does anyone know of something available?
>
> --
> Gordon A. Lang
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
More information about the dhcp-users
mailing list