Explicitly log lease expiration

Nicolas C. dhcp at nryc.fr
Thu Jan 31 19:15:47 UTC 2013


On 30/01/2013 17:57, James M Keller wrote:
> On 1/29/2013 12:23 PM, James M Keller wrote:
>> All,
>>
>> Am am moving our DHCP infrastructure off MS DHCP and onto ISC BIND based
>> appliances.   One of the issues was getting our internal security
>> auditing tools re-integrated with the log feed from ISC DHCPD vs
>> Windows.   The only outstanding issue is windows was explicitly logging
>> the lease expiration in the log which was used for correlation by our
>> SOC.   Right now with the default syslog settings we get all the DHCP
>> packet events (DISCOVER, REQUEST, INFORM, RELEASE, ACK, NACK, etc) but
>> not an internal operation like the lease expiring.   Is this possible in
>> the stock builds?
>>
>> Thanks in advance.
>>
>
> So I got some off-list responses that helped, I also tried to get a
> custom log going but I'm not getting any log entries. Based on another
> example I found I wrapped this in a class with an always true match if
> expression.   I'm not seeing any of these logs in syslog.    I've also
> tried the same if/log block in a class that I know is matching already,
> and all the other dhcpd logs are in syslog as expected...
>
> Any suggestions?

Maybe "on expiry" { } can help you?

https://gist.github.com/2224765

Be careful, I'm not sure the given example works, as I recall 
"leased-address" and "hardware" aren't available "on expiry" :

https://lists.isc.org/pipermail/dhcp-users/2012-May/015434.html

Nicolas


More information about the dhcp-users mailing list