wellcomer/dhcpd-syslog

## dhcpd-syslog
input {
        file {
                path => [ "/var/log/syslog" ]
                start_position => end
                type => "syslog"
        }
}

filter {

        grok {
                match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
        }

        syslog_pri { }

        date {
                locale => "en"
                match => [ "syslog_timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss", "ISO8601" ]
        }

        if [syslog_program] == "dhcpd" {
                grok {
                        match => { "syslog_message" => "%{WORD:dhcp_action} (for|on|from|to|of) (%{IPV4:dhcp_client_ip} )?(.*%{COMMONMAC:dhcp_client_mac}( \(%{HOSTNAME:dhcp_client_name}\))?.*)?via %{USERNAME:interface}" }
                }
        }
}
	input {
	file {
	path => [ "/var/log/syslog" ]
	start_position => end
	type => "syslog"
	}
	}

	filter {

	grok {
	match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
	}

	syslog_pri { }

	date {
	locale => "en"
	match => [ "syslog_timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss", "ISO8601" ]
	}

	if [syslog_program] == "dhcpd" {
	grok {
	match => { "syslog_message" => "%{WORD:dhcp_action} (for\|on\|from\|to\|of) (%{IPV4:dhcp_client_ip} )?(.%{COMMONMAC:dhcp_client_mac}( \(%{HOSTNAME:dhcp_client_name}\))?.)?via %{USERNAME:interface}" }
	}
	}
	}