ISC dhcpd

ISC dhcpd is a program that helps to provide dynamic IP addresses in a network.

Before You Begin

ISC dhdcp can produce syslog. You must configure this service to send its logs to the InsightIDR Collector via rsyslog; read about how to do so on the Syslog Logging page.

If you use Splunk to collect and aggregate these logs, see the documentation to do so here: https://docs.splunk.com/Documentation/AddOns/released/ISCDHCP/Setup.

Expected Log Format

InsightIDR expects the following format when parsing the syslog:

java
1
<182>Mar 30 08:52:44 charcoal dhcpd: DHCPACK on 10.205.95.222 to f0:92:1c:d7:81:34 (hostname.company.com) via eth0
2
<182>Mar 30 08:52:44 charcoal dhcpd: DHCPRELEASE of 10.10.4.125 from 13:e7:28:32:a5:2c (hostname.company.com) via eth0 (found)
3
<182>Mar 30 08:52:44 charcoal dhcpd: Added new forward map from hostname.company.com to 10.1.95.241
4
<182>Mar 30 08:52:44 charcoal dhcpd: Removed forward map from hostname.company.com to 192.168.2.1
5
<182>Mar 30 08:52:44 charcoal dhcpd: DHCPREQUEST for 10.118.209.247 from 00:26:c6:6b:44:32 (hostname.company.com) via 10.118.208.4 (RENEW)

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the DHCP icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Configure any Advanced Event Source Settings.
  8. Configure inactivity timeout threshold in minutes.
  9. Select Listen for Syslog and specify a port and a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  10. Click Save.