iamacarpet/config.yaml

## config.yaml
logging:
  receivers:
    dhcp_audit:
      type: files
      include_paths:
      - C:\Windows\System32\dhcp\DhcpSrvLog-*.log
      record_log_file_path: true
  processors:
    exclude_dhcp_guff:
      type: exclude_logs
      match_any:
      - 'jsonPayload.message !~ "^([0-9]+),([0-9]{2}\/[0-9]{2}\/[0-9]{2},[0-9]{2}:[0-9]{2}:[0-9]{2}),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)$"'
    extract_dhcp_data:
      type: parse_regex
      field: message
      regex: "^(?<event_id>[0-9]+),(?<time>[0-9]{2}\/[0-9]{2}\/[0-9]{2},[0-9]{2}:[0-9]{2}:[0-9]{2}),(?<description>[^,]*),(?<ip_address>[^,]*),(?<host_name>[^,]*),(?<mac_address>[^,]*),(?<username>[^,]*),(?<transaction_id>[^,]*),(?<qresult>[^,]*),(?<probation_time>[^,]*),(?<correlation_id>[^,]*),(?<dhc_id>[^,]*),(?<vendor_class_hex>[^,]*),(?<vendor_class>[^,]*),(?<user_class_hex>[^,]*),(?<user_class>[^,]*),(?<relay_agent_info>[^,]*),(?<dns_reg_error>[^,]*)$"
      time_key: time
      time_format: "%D,%H:%M:%S"
    tag_dhcp_event_type:
      type: modify_fields
      fields:
        jsonPayload.event_type:
          copy_from: jsonPayload.event_id
          map_values:
            "00": "The log was started"
            "01": "The log was stopped"
            "02": "The log was temporarily paused due to low disk space"
            "10": "A new IP address was leased to a client"
            "11": "A lease was renewed by a client"
            "12": "A lease was released by a client"
            "13": "An IP address was found to be in use on the network"
            "14": "A lease request could not be satisfied because the scope's address pool was exhausted"
            "15": "A lease was denied"
            "16": "A lease was deleted"
            "17": "A lease was expired and DNS records for an expired leases have not been deleted"
            "18": "A lease was expired and DNS records were deleted"
            "20": "A BOOTP address was leased to a client"
            "21": "A dynamic BOOTP address was leased to a client"
            "22": "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"
            "23": "A BOOTP IP address was deleted after checking to see it was not in use"
            "24": "IP address cleanup operation has began"
            "25": "IP address cleanup statistics"
            "30": "DNS update request to the named DNS server"
            "31": "DNS update failed"
            "32": "DNS update successful"
            "33": "Packet dropped due to NAP policy"
            "34": "DNS update request failed as the DNS update request queue limit exceeded"
            "35": "DNS update request failed"
            "36": "Packet dropped because the server is in failover standby role or the hash of the client ID does not match"
          map_values_exclusive: true
  service:
    pipelines:
      dhcp_audit_pipeline:
        receivers: [dhcp_audit]
        processors: [exclude_dhcp_guff, extract_dhcp_data, tag_dhcp_event_type]
	logging:
	receivers:
	dhcp_audit:
	type: files
	include_paths:
	- C:\Windows\System32\dhcp\DhcpSrvLog-*.log
	record_log_file_path: true
	processors:
	exclude_dhcp_guff:
	type: exclude_logs
	match_any:
	- 'jsonPayload.message !~ "^([0-9]+),([0-9]{2}\/[0-9]{2}\/[0-9]{2},[0-9]{2}:[0-9]{2}:[0-9]{2}),([^,]),([^,]),([^,]),([^,]),([^,]),([^,]),([^,]),([^,]),([^,]),([^,]),([^,]),([^,]),([^,]),([^,]),([^,]),([^,])$"'
	extract_dhcp_data:
	type: parse_regex
	field: message
	regex: "^(?<event_id>[0-9]+),(?<time>[0-9]{2}\/[0-9]{2}\/[0-9]{2},[0-9]{2}:[0-9]{2}:[0-9]{2}),(?<description>[^,]),(?<ip_address>[^,]),(?<host_name>[^,]),(?<mac_address>[^,]),(?<username>[^,]),(?<transaction_id>[^,]),(?<qresult>[^,]),(?<probation_time>[^,]),(?<correlation_id>[^,]),(?<dhc_id>[^,]),(?<vendor_class_hex>[^,]),(?<vendor_class>[^,]),(?<user_class_hex>[^,]),(?<user_class>[^,]),(?<relay_agent_info>[^,]),(?<dns_reg_error>[^,])$"
	time_key: time
	time_format: "%D,%H:%M:%S"
	tag_dhcp_event_type:
	type: modify_fields
	fields:
	jsonPayload.event_type:
	copy_from: jsonPayload.event_id
	map_values:
	"00": "The log was started"
	"01": "The log was stopped"
	"02": "The log was temporarily paused due to low disk space"
	"10": "A new IP address was leased to a client"
	"11": "A lease was renewed by a client"
	"12": "A lease was released by a client"
	"13": "An IP address was found to be in use on the network"
	"14": "A lease request could not be satisfied because the scope's address pool was exhausted"
	"15": "A lease was denied"
	"16": "A lease was deleted"
	"17": "A lease was expired and DNS records for an expired leases have not been deleted"
	"18": "A lease was expired and DNS records were deleted"
	"20": "A BOOTP address was leased to a client"
	"21": "A dynamic BOOTP address was leased to a client"
	"22": "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"
	"23": "A BOOTP IP address was deleted after checking to see it was not in use"
	"24": "IP address cleanup operation has began"
	"25": "IP address cleanup statistics"
	"30": "DNS update request to the named DNS server"
	"31": "DNS update failed"
	"32": "DNS update successful"
	"33": "Packet dropped due to NAP policy"
	"34": "DNS update request failed as the DNS update request queue limit exceeded"
	"35": "DNS update request failed"
	"36": "Packet dropped because the server is in failover standby role or the hash of the client ID does not match"
	map_values_exclusive: true
	service:
	pipelines:
	dhcp_audit_pipeline:
	receivers: [dhcp_audit]
	processors: [exclude_dhcp_guff, extract_dhcp_data, tag_dhcp_event_type]