Sunday, May 3, 2015

PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs

Continuing with the Splunk dashboards, let's add a panel for parsed ARPWatch logs

Sample DHCP Server Message


May  2 20:15:14 192.168.0.1 May  3 00:15:06 dhcpd: DHCPACK on 192.168.0.14 to cc:55:ad:1a:2b:c5 via dc0

Our Search Filter:
"dhcpd:" | rex field=_raw "dhcpd:\s(?<dhcp_message>[A-Za-z]*).*\s(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\s(?<mac_address>[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}).*\s(?<interface>.*)" | stats count by ip_address, dhcp_message, mac_address, interface

Our Results:




Similarly to the previous posts in this series, being able to monitor your DHCP activity can help add context to your network, putting you in a better position to decide how to move forward.



In this series:
1. PFSense + Splunk - Security on the cheap
2. PFSense + Splunk - Security on the cheap - Parsing Firewall logs
3. PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs
4. PFSense + Splunk - Security on the cheap - Parsing Snort Logs
5. PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs

2 comments:

  1. This logentry does not parse well:

    Jan 4 10:28:10 dhcpd: DHCPRELEASE of 192.168.1.129 from 00:1e:3b:0b:f3:4b via sk1 (found)

    ReplyDelete
    Replies
    1. Try this

      source="YOUR_SPLUNK_SOURCE" | rex field=_raw "\sdhcpd:\s(?.*?\s)of\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\sfrom\s(?.*)\s?via\s(?.*?\s)" | stats count by dhcpd_message, IP, mac_address, interface

      The above should work without any issues based on the single log you sent me.

      Delete