Continuing with the Splunk dashboards, let's add a panel for parsed ARPWatch logs
Sample DHCP Server Message
May 2 20:15:14 192.168.0.1 May 3 00:15:06 dhcpd: DHCPACK on 192.168.0.14 to cc:55:ad:1a:2b:c5 via dc0
Our Search Filter:
"dhcpd:" | rex field=_raw "dhcpd:\s(?<dhcp_message>[A-Za-z]*).*\s(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\s(?<mac_address>[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2}).*\s(?<interface>.*)" | stats count by ip_address, dhcp_message, mac_address, interface
Our Results:
Similarly to the previous posts in this series, being able to monitor your DHCP activity can help add context to your network, putting you in a better position to decide how to move forward.
In this series:
1. PFSense + Splunk - Security on the cheap
2. PFSense + Splunk - Security on the cheap - Parsing Firewall logs
3. PFSense + Splunk - Security on the cheap - Parsing ARPWatch Logs
4. PFSense + Splunk - Security on the cheap - Parsing Snort Logs
5. PFSense + Splunk - Security on the cheap - Parsing DHCP Server Logs
This logentry does not parse well:
ReplyDeleteJan 4 10:28:10 dhcpd: DHCPRELEASE of 192.168.1.129 from 00:1e:3b:0b:f3:4b via sk1 (found)
Try this
Deletesource="YOUR_SPLUNK_SOURCE" | rex field=_raw "\sdhcpd:\s(?.*?\s)of\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\sfrom\s(?.*)\s?via\s(?.*?\s)" | stats count by dhcpd_message, IP, mac_address, interface
The above should work without any issues based on the single log you sent me.