Skip to content

Instantly share code, notes, and snippets.

@fintanmm

fintanmm/grok-dhcp-logstash

Last active April 13, 2016 11:17
Show Gist options
  • Save fintanmm/79530f01243fbb3c026d552f608edfd3 to your computer and use it in GitHub Desktop.
Save fintanmm/79530f01243fbb3c026d552f608edfd3 to your computer and use it in GitHub Desktop.
Download ZIP
Grok pattern for logstash from a syslog server
Raw
grok-dhcp-logstash
DHCPACTION (ACK|DECLINE|DISCOVER|INFORM|NAK|OFFER|RELEASE|REQUEST)
DHCPGATEWAY %{IPV4:dhcp_gateway_ip}
DHCPMESSAGE ((:)%{SPACE}%{GREEDYDATA:dhcp_message})?
DHCPIPORMAC ((%{IPV4:dhcp_client_ip})|(%{COMMONMAC:dhcp_client_mac}))
DHCPD (?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601})%{SPACE}%{DHCPACTION:dhcp_action}%{SPACE}(for|on|from|to)%{SPACE}%{DHCPIPORMAC}%{SPACE}((from|to)%{SPACE})?%{DHCPIPORMAC}?(\(%{DHCPIPORMAC}\))?%{SPACE}(\(%{USER:user_machine}\))?%{SPACE}?(via|from)%{SPACE}((%{DHCPGATEWAY}%{DHCPMESSAGE})|%{USERNAME:dhcp_client_interface})
DHCPIPSUBNET (?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))[\/]%{INT}
DHCPDDUP (%{IPV4:dhcp_client_ip})%{GREEDYDATA}(%{COMMONMAC:dhcp_client_mac})%{GREEDYDATA}(%{DHCPIPSUBNET:dhcp_subnet})
DHCPDINFO %{GREEDYDATA:dhcp_message}
DHCPDPOOL pool (%{GREEDYDATA:dhcp_pool})(%{DHCPIPSUBNET:dhcp_subnet})%{GREEDYDATA:dhcp_message}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment