successful lease event trigger

Frank Sweetser fs at WPI.EDU
Thu Jun 11 11:51:29 UTC 2009

Terry L. Inzauro wrote:

> I am trying to derive a method of retaining the MAC/IP combinations (and
> maybe other information) for all successful leases for compliance and
> auditing  purposes.  Basically, in the public sector, I have to be able to
> tell law enforcement who (which mac addres) had obtained an address and at
> what time (to the best of my knowledge).
> At first I envisioned a script being ran upon a successful lease that would
> log various info to SQL or something like that. I thought this method would
> be possible based on the section called 'REFERENCE: EVENTS' (in man 5
> dhcpd.conf) but I am finding a lack of documentation or examples on that
> particular subject.
> Perhaps I am making something out of nothing. Is this problem simply a
> matter tuning syslog-ng to log all DHCPD related messages to a log that is
> later archived indefinitely?

I use the syslog method, with this config block in my dhcpd config:

on commit { if (static) {
               log (info, concat (
                 "DHCPNETMON ",
                 binary-to-ascii (10,32,"",encode-int (lease-time,32))," ",
                 substring (binary-to-ascii (16,8,":",hardware), 2,17)," ",
                 binary-to-ascii (10,8,".",leased-address)," ",
                 pick-first-value(host-decl-name, "(none)"),
                 " static"));
             } else {
               log (info, concat (
                 "DHCPNETMON ",
                 binary-to-ascii (10,32,"",encode-int (lease-time,32))," ",
                 substring (binary-to-ascii (16,8,":",hardware), 2,17)," ",
                 binary-to-ascii (10,8,".",leased-address), " ",
                 pick-first-value(ddns-fwd-name, "(none)"),
                 " dynamic"));

This gets both static and dynamic leases, and also lets me filter on exactly 
the log messages that I want via the DHCPNETMON tag (easy enough to change to 
something more meaningful in your environment, of course).

You should be aware, though, that this only tells you what address was 
assigned to a host, not necessarily what address was actually in use by any 
given host.  Other factors, such as static configurations and rouge DHCP 
servers, can make reality out of sync with your records.  I'd highly recommend 
that you look into some way of tracking ARP tables on your routers as well, so 
that you have a record of what was actually in use.

Frank Sweetser fs at  |  For every problem, there is a solution that
WPI Senior Network Engineer   |  is simple, elegant, and wrong. - HL Mencken
     GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC

More information about the dhcp-users mailing list