ISC dhcpd is a program that helps to provide dynamic IP addresses in a network.
Before You Begin
ISC dhdcp can produce syslog. You must configure this service to send its logs to the InsightIDR Collector via rsyslog; read about how to do so on the Syslog Logging page.
If you use Splunk to collect and aggregate these logs, see the documentation to do so here: https://docs.splunk.com/Documentation/AddOns/released/ISCDHCP/Setup.
Expected Log Format
InsightIDR expects the following format when parsing the syslog:
1<182>Mar 30 08:52:44 charcoal dhcpd: DHCPACK on 10.205.95.222 to f0:92:1c:d7:81:34 (hostname.company.com) via eth02<182>Mar 30 08:52:44 charcoal dhcpd: DHCPRELEASE of 10.10.4.125 from 13:e7:28:32:a5:2c (hostname.company.com) via eth0 (found)3<182>Mar 30 08:52:44 charcoal dhcpd: Added new forward map from hostname.company.com to 10.1.95.2414<182>Mar 30 08:52:44 charcoal dhcpd: Removed forward map from hostname.company.com to 192.168.2.15<182>Mar 30 08:52:44 charcoal dhcpd: DHCPREQUEST for 10.118.209.247 from 00:26:c6:6b:44:32 (hostname.company.com) via 10.118.208.4 (RENEW)
How to Configure This Event Source
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the DHCP icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unfiltered logs.
- Configure any Advanced Event Source Settings.
- Configure inactivity timeout threshold in minutes.
- Select Listen for Syslog and specify a port and a protocol.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.