Explicitly log lease expiration

James M Keller jmkeller at houseofzen.org
Wed Jan 30 16:57:50 UTC 2013 

On 1/29/2013 12:23 PM, James M Keller wrote:
> All,
>
> Am am moving our DHCP infrastructure off MS DHCP and onto ISC BIND based
> appliances.   One of the issues was getting our internal security
> auditing tools re-integrated with the log feed from ISC DHCPD vs
> Windows.   The only outstanding issue is windows was explicitly logging
> the lease expiration in the log which was used for correlation by our
> SOC.   Right now with the default syslog settings we get all the DHCP
> packet events (DISCOVER, REQUEST, INFORM, RELEASE, ACK, NACK, etc) but
> not an internal operation like the lease expiring.   Is this possible in
> the stock builds?
>
> Thanks in advance.
>

So I got some off-list responses that helped, I also tried to get a
custom log going but I'm not getting any log entries.   Based on another
example I found I wrapped this in a class with an always true match if
expression.   I'm not seeing any of these logs in syslog.    I've also
tried the same if/log block in a class that I know is matching already,
and all the other dhcpd logs are in syslog as expected...

Any suggestions?


class "LOGGING" {

    match if 1 = 1

    # Custom DHCP Logging

    #

    # Log Only when DHCP Message type is:

    # 1 - DISCOVER

    # 3 - REQUEST

    if ((option dhcp-message-type = 1) or (option dhcp-message-type = 3)) {

    log(info, concat("DHCP_LOG: ",

    (concat("dhcp-user-class = ", option user-class)),

    (concat("hardware = ", binary-to-ascii(16, 8, ":", hardware))),

    (concat("dhcp-client-identifier = ", binary-to-ascii (16, 8, ":",
option dhcp-client-identifier))),

    (concat("circuit-id-vlan = ", binary-to-ascii(10, 16, "",
substring(option agent.circuit-id,2,2)))),

    (concat("circuit-id-port = ", binary-to-ascii(10, 16, "/",
substring(option agent.circuit-id,4,4)))),

    (concat("remote-id = ", option agent.remote-id)),

    (concat("vendor-class-identifier = ", option vendor-class-identifier)),

    (concat("hostname = ", option host-name))

    ));

    }

}

-- 
---
James M Keller

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20130130/588877fa/attachment.html>

More information about the dhcp-users mailing list