<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I switched from using the DHCP exec to Simple Event Collator (sec).
It monitors the log files much<br>
like fail2ban and can respond to log messages. I have an elaborate
log message for DHCP. This<br>
sec rule triggers when a lease is issued and adds the IP address to
a ipset:<br>
<font color="#993300"><tt># Dec 31 11:19:28 server dhcpd[20260]:
Host:BROTHER-MFC-J61=>BROTHER-MFC-J61 VendorId:(none)
MemberOf:(none) PoolType:(none) Lease:14400
Ipv4:192.168.4.63 MAC:0:1b:a9:3d:2d:e3 --> STATIC</tt><tt><br>
</tt><tt>type=Single</tt><tt><br>
</tt><tt>ptype=RegExp</tt><tt><br>
</tt><tt>pattern=(?<server_name>\S+)\s+dhcpd\S+:\s+Host:(?<host>\S+)=\>(?<DNShost>\S+).+
Lease:(?<leaseTime>\d+).+IPv4:(?<ipv4>(\d{1,3}\.){3}\d{1,3}).+MAC:(?<MAC>\S+)</tt><tt><br>
</tt><tt>desc=DHCP lease issued: Server:$+{server_name}
Host:$+{DNShost} IPv4:$+{ipv4} Lease:$+{leaseTime}
MAC:$+{MAC}</tt><tt><br>
</tt><tt>action=shellcmd /usr/sbin/ipset -exist add DHCP4-lease
$+{ipv4} timeout $+{leaseTime}</tt><tt><br>
</tt></font>Everything from <font color="#993300">#</font> up to
(but not including) <font color="#993300">type</font> is a sample
log line. (I'm pretty sure this will wrap<br>
in this email.)<br>
<br>
sec's actions are logged to /var/log/sec. <br>
<br>
<font color="#993300"><tt><font color="#000000">[0:root@server
network]$</font> <font color="#006600">dnf search sec</font></tt><tt><br>
</tt><tt>Last metadata expiration check performed 1:14:59 ago on
Wed Nov 2 18:10:46 2016.</tt><tt><br>
</tt><tt>=====================================================================
N/S Matched: sec
======================================================================</tt><tt><br>
</tt><tt>sec.noarch : Simple Event Correlator script to filter log
file entries</tt><tt><br>
</tt></font><br>
Bill<br>
<br>
<br>
<div class="moz-cite-prefix">On 11/2/2016 5:52 PM, Alan Buxey wrote:<br>
</div>
<blockquote
cite="mid:DB5PR04MB11115B7894AED19E0B96C1CDA7A00@DB5PR04MB1111.eurprd04.prod.outlook.com"
type="cite">
<pre wrap="">hi,
</pre>
<blockquote type="cite">
<pre wrap="">Is there a way to silence those lines? They seem rather debuggish,
and on my production system my syslog files are being flooded with 16
lines of "execute_statement" messages for every single lease assigned.
</pre>
</blockquote>
<pre wrap="">
what syslog system are you using? with eg rsyslog you can do a very simple
regex pattern match to ignore those entries and not log them (or log them
to another server or log them to another file....)... /^execute_statement argv/
alan
_______________________________________________
dhcp-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/dhcp-users">https://lists.isc.org/mailman/listinfo/dhcp-users</a>
</pre>
</blockquote>
<br>
</body>
</html>