ISC dhcpd

ISC dhcpd is a program that helps to provide dynamic IP addresses in a network.

Before You Begin

ISC dhdcp can produce syslog. You must configure this service to send its logs to the InsightIDR Collector via rsyslog; read about how to do so on the Syslog Logging page.

If you use Splunk to collect and aggregate these logs, see the documentation to do so here: https://docs.splunk.com/Documentation/AddOns/released/ISCDHCP/Setup.

Expected Log Format

InsightIDR expects the following format when parsing the syslog:

java
1
<182>Mar 30 08:52:44 charcoal dhcpd: DHCPACK on 10.205.95.222 to f0:92:1c:d7:81:34 (hostname.company.com) via eth0
2
<182>Mar 30 08:52:44 charcoal dhcpd: DHCPRELEASE of 10.10.4.125 from 13:e7:28:32:a5:2c (hostname.company.com) via eth0 (found)
3
<182>Mar 30 08:52:44 charcoal dhcpd: Added new forward map from hostname.company.com to 10.1.95.241
4
<182>Mar 30 08:52:44 charcoal dhcpd: Removed forward map from hostname.company.com to 192.168.2.1
5
<182>Mar 30 08:52:44 charcoal dhcpd: DHCPREQUEST for 10.118.209.247 from 00:26:c6:6b:44:32 (hostname.company.com) via 10.118.208.4 (RENEW)

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for ISC dhcpd in the event sources search bar.
    • In the Product Type filter, select DHCP.
  3. Select the ISC dhcpd event source tile.
  4. Choose your collector. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Configure any Advanced Event Source Settings.
  8. Configure inactivity timeout threshold in minutes.
  9. Select Listen on Network Port and specify a port and a protocol.
  10. Optionally, choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  11. Click Save.