Explicitly log lease expiration
James M Keller
jmkeller at houseofzen.org
Wed Jan 30 16:57:50 UTC 2013
On 1/29/2013 12:23 PM, James M Keller wrote:
> All,
>
> Am am moving our DHCP infrastructure off MS DHCP and onto ISC BIND based
> appliances. One of the issues was getting our internal security
> auditing tools re-integrated with the log feed from ISC DHCPD vs
> Windows. The only outstanding issue is windows was explicitly logging
> the lease expiration in the log which was used for correlation by our
> SOC. Right now with the default syslog settings we get all the DHCP
> packet events (DISCOVER, REQUEST, INFORM, RELEASE, ACK, NACK, etc) but
> not an internal operation like the lease expiring. Is this possible in
> the stock builds?
>
> Thanks in advance.
>
So I got some off-list responses that helped, I also tried to get a
custom log going but I'm not getting any log entries. Based on another
example I found I wrapped this in a class with an always true match if
expression. I'm not seeing any of these logs in syslog. I've also
tried the same if/log block in a class that I know is matching already,
and all the other dhcpd logs are in syslog as expected...
Any suggestions?
class "LOGGING" {
match if 1 = 1
# Custom DHCP Logging
#
# Log Only when DHCP Message type is:
# 1 - DISCOVER
# 3 - REQUEST
if ((option dhcp-message-type = 1) or (option dhcp-message-type = 3)) {
log(info, concat("DHCP_LOG: ",
(concat("dhcp-user-class = ", option user-class)),
(concat("hardware = ", binary-to-ascii(16, 8, ":", hardware))),
(concat("dhcp-client-identifier = ", binary-to-ascii (16, 8, ":",
option dhcp-client-identifier))),
(concat("circuit-id-vlan = ", binary-to-ascii(10, 16, "",
substring(option agent.circuit-id,2,2)))),
(concat("circuit-id-port = ", binary-to-ascii(10, 16, "/",
substring(option agent.circuit-id,4,4)))),
(concat("remote-id = ", option agent.remote-id)),
(concat("vendor-class-identifier = ", option vendor-class-identifier)),
(concat("hostname = ", option host-name))
));
}
}
--
---
James M Keller
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20130130/588877fa/attachment.html>
More information about the dhcp-users
mailing list