Re: DHCP Logfile pattern matching (419 Views)
Reply
Frequent Advisor
MacSWW
Posts: 45
Registered: ‎02-13-2009
Message 1 of 10 (506 Views)
Accepted Solution

DHCP Logfile pattern matching

All, I'm after some help monitoring the DHCP logs on a Windows 2008 server.

 

Basically, I'm trying to monitor when an IP address is assigned or renewed to anything that doesn't belong to our domain.

 

The rules I've got set up on the policy are:
1. Ignore any line with our domain name in it
2. Ignore any line containing one of our pc names
3. Ignore any line containing the word NACK
4. Ignore any line with a blank Host Name
5. Generate a message on all remaining RENEW and ASSIGN lines

 

I'm having trouble with Rule 4 (ignore anything with a blank Host Name) ie. the ,, (double comma) after the IP Address in the log extract below. The last line is the type of thing I want to generate a message on.

 

ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID,Dhcid.
11,01/12/12,08:48:55,Renew,10.10.16.53,,005056A4005B,,1526768727,0,,,
11,01/12/12,09:02:38,Renew,10.10.14.100,,00E002E3F4C8,,1808233735,0,,,
11,01/12/12,09:06:55,Renew,10.10.16.121,,005056A4005C,,1543545943,0,,,
11,01/12/12,09:14:05,Renew,10.10.106.3,,000074E34BA3,,1208025088,0,,,
11,01/12/12,09:58:46,Renew,10.242.8.14,L-031699.XXXX.local,001CC4CE1777,,269292075,0,,,

 

I can't just look for L-031699.xxxx.local as these host names will obviously all be different.

 

I've changed the Field Separator to a ',' for this rule and tried pretty much every combination of pattern matching I can think of. Funny thing is I'm only modifying a policy which used to work perfectly on a Windows 2003 DHCP server but I don't have a W2003 dhcp log to compare with.

 

The W2003 pattern that used to work was:

<*>,<@.date>,<@.time>,<*>,<@.ip>,,<@.mac>,<*>

I'm sure this shouldn't be as hard as I'm making it and I'm missing something obvious. I've not done much with logfile monitoring policies or pattern matching before, so any suggestion for Rule 4 would be much appreciated!

 

Mac

Valued Contributor
jiiim
Posts: 72
Registered: ‎08-25-2010
Message 2 of 10 (485 Views)

Re: DHCP Logfile pattern matching

The rule:

 

<*>,<*>,<*>,<*>,<*>,,<*>

 

Should match (empty server name):

11,01/12/12,08:48:55,Renew,10.10.16.53,,005056A4005B,,1526768727,0,,,

 

On the "Actions" tab of this rule set it to:

 

If condition of this rule is true then:

Do nothing: stop evaluation.

 

Put this rule above rules that catch stuff in the rule sequence.

 

Would that work? :-)

 

Br,

Jim

Frequent Advisor
MacSWW
Posts: 45
Registered: ‎02-13-2009
Message 3 of 10 (481 Views)

Re: DHCP Logfile pattern matching

Thanks for the reply Jim,

 

I'm pretty sure I've tried that rule (although I've tried so many I honestly can't remember!), but I would have left it in it's original position of 4 in the rule sequence.

 

I've change the rule to <*>,<*>,<*>,<*>,<*>,,<*> and moved it right to the top.

 

I'll post back when (if) I get any results ;-)

 

Thanks again,

 

Mac

Frequent Advisor
MacSWW
Posts: 45
Registered: ‎02-13-2009
Message 4 of 10 (468 Views)

Re: DHCP Logfile pattern matching

I've had to wait a while before we got anything in the DHCP logs, but we had one the other day:

 

10,01/25/12,12:11:20,Assign,10.10.xx.xx,L-030189.xxxxxxxxx.local,0017X4X03469,,1740429006,0,,,

 

which my policy failed to pick up. I think the rule is not matching the commas to the right fields as during my testing, I got this message back a couple of times:

 

A DHCP lease was renewed by a client:

Host Name: 0

IP Address: 10.10.xxx.x,XXX_TEST.,180373X55XXX,,1588241571

MAC Address: ,

Date: 01/13/12

Time: 13:27:00

 

The actual line in the DHCP log was similar to the one above, but obviously with a different host name. Somehow, the policy is picking up the QResult as the Host Name and using the column headings "IP Address,Host Name,MAC Address,User Name and TransactionID" as the IP Address.

 

I've changed the pattern matching on the rules to use a comma, so it should being looking for these as separators, right?

 

How do other people monitor these logon events - does anyone know of a better / easier way to do this?

 

Thanks,

 

Mac

Honored Contributor
Jeroen Peereboom
Posts: 2,713
Registered: ‎06-26-2003
Message 5 of 10 (458 Views)

Re: DHCP Logfile pattern matching

Specify the comma as fieldseparator for the logfile template.
Then matching would be something like <@><_><@>... <_><_>

JP.
Honored Contributor
Jeroen Peereboom
Posts: 2,713
Registered: ‎06-26-2003
Message 6 of 10 (456 Views)

Re: DHCP Logfile pattern matching

And of course, start with "^<@>", not "<@>"

JP
Frequent Advisor
MacSWW
Posts: 45
Registered: ‎02-13-2009
Message 7 of 10 (447 Views)

Re: DHCP Logfile pattern matching

Thanks for the reply JP.

 

I've changed mattern matching for the whole policy to a comma, 'Applied to All' and then replaced all the commas with a <_> for all rules. I've also added the '^' to all rules with matches that start at the beginning of the logfile line.

 

I'll post back when I get anything...

 

Cheers,

 

Mac

Honored Contributor
Jeroen Peereboom
Posts: 2,713
Registered: ‎06-26-2003
Message 8 of 10 (443 Views)

Re: DHCP Logfile pattern matching

L.S.

 

Of course you can wait for new events in the logfile, but why not copy the file to your management server and test the conditions rght away?

You know you can do that from the modify template or modify condition window?

 

JP

Frequent Advisor
MacSWW
Posts: 45
Registered: ‎02-13-2009
Message 9 of 10 (438 Views)

Re: DHCP Logfile pattern matching

I did know that, thanks JP :)

 

I've have tested the rules for this policy in the past, but only one at a time from the modify conditions window. Even though they matched, the whole policy still didn't work. I suspect now this was because I didn't test all the rules at the same time and in the correct order...

 

Things are looking up already though as we finally have a couple of messages and emails with the correct Host Names, IP Addresses, MAC address, date and time stamps so I think we've cracked it!

 

I'll do a bit more testing to make sure I'm catching everything I need and post back...

 

Thanks for all the help - much appreciated.

 

Mac

Frequent Advisor
MacSWW
Posts: 45
Registered: ‎02-13-2009
Message 10 of 10 (419 Views)

Re: DHCP Logfile pattern matching

After a couple of days of testing, I'm now catching all the 'non' company devices requesting IP addresses and the text is appearing in the message as expected.

 

I've got some issues with duplicates on these messages, but I'll start a new thread for that...

 

Thanks to everyone that helped - special kudos to JP ;)

 

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.