Explicitly log lease expiration
Nicolas C.
dhcp at nryc.fr
Thu Jan 31 19:15:47 UTC 2013
On 30/01/2013 17:57, James M Keller wrote:
> On 1/29/2013 12:23 PM, James M Keller wrote:
>> All,
>>
>> Am am moving our DHCP infrastructure off MS DHCP and onto ISC BIND based
>> appliances. One of the issues was getting our internal security
>> auditing tools re-integrated with the log feed from ISC DHCPD vs
>> Windows. The only outstanding issue is windows was explicitly logging
>> the lease expiration in the log which was used for correlation by our
>> SOC. Right now with the default syslog settings we get all the DHCP
>> packet events (DISCOVER, REQUEST, INFORM, RELEASE, ACK, NACK, etc) but
>> not an internal operation like the lease expiring. Is this possible in
>> the stock builds?
>>
>> Thanks in advance.
>>
>
> So I got some off-list responses that helped, I also tried to get a
> custom log going but I'm not getting any log entries. Based on another
> example I found I wrapped this in a class with an always true match if
> expression. I'm not seeing any of these logs in syslog. I've also
> tried the same if/log block in a class that I know is matching already,
> and all the other dhcpd logs are in syslog as expected...
>
> Any suggestions?
Maybe "on expiry" { } can help you?
https://gist.github.com/2224765
Be careful, I'm not sure the given example works, as I recall
"leased-address" and "hardware" aren't available "on expiry" :
https://lists.isc.org/pipermail/dhcp-users/2012-May/015434.html
Nicolas
More information about the dhcp-users
mailing list