tag:blogger.com,1999:blog-7303400454979750101.post5296921428582289359..comments2024-03-28T06:49:56.390-07:00Comments on Learning by practicing: PFSense + Splunk - Security on the cheap - Parsing DHCP Server LogsNik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-7303400454979750101.post-13381104714348827162016-01-04T18:29:16.329-08:002016-01-04T18:29:16.329-08:00Try this
source="YOUR_SPLUNK_SOURCE" | ...Try this<br /><br />source="YOUR_SPLUNK_SOURCE" | rex field=_raw "\sdhcpd:\s(?.*?\s)of\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\sfrom\s(?.*)\s?via\s(?.*?\s)" | stats count by dhcpd_message, IP, mac_address, interface<br /><br />The above should work without any issues based on the single log you sent me.Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttps://www.blogger.com/profile/10282323977269843041noreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-19957865926707955622016-01-04T00:29:29.607-08:002016-01-04T00:29:29.607-08:00This logentry does not parse well:
Jan 4 10:28:1...This logentry does not parse well:<br /><br />Jan 4 10:28:10 dhcpd: DHCPRELEASE of 192.168.1.129 from 00:1e:3b:0b:f3:4b via sk1 (found)Anonymousnoreply@blogger.com