After going through all the different posts about Infoblox, DHCP, I thought that I had it, but I can't seem to get it to work properly. I installed the posix DHCP tool and updated all the Regex statements to deal with the Infoblox syslog changes. The regex should be working but while I can see all my events show up as dhcpd_events, when I search for any fields (ie dhcp_message), I get nothing.
I'm kind of new to Splunk so I'm sure that I'm missing something. Hopefully somebody can point me in the right direction.
Some examples of the Syslogs that I am getting:
Apr 15 20:01:00 10.1.140.216 dhcpd[15805]: DHCPINFORM from 10.10.237.42 via 10.10.236.3
Apr 15 20:01:00 10.1.140.216 dhcpd[15805]: DHCPACK to 10.10.237.42 (f8:bc:12:d5:0e:19) via eth1
Apr 16 02:55:26 10.1.140.216 dhcpd[15805]: DHCPREQUEST for 10.11.23.114 from 00:1e:4a:92:02:30 (SEP001E4A920230) via 10.11.22.1 uid 01:00:1e:4a:92:02:30 (RENEW)
Transforms.conf (backslashes are being stripped to I have replaced them with ' )
[dhcpinform]
REGEX='s(dhcpd)'[[0-9]+']':'s(DHCPINFORM)'sfrom's('S+)'svia's('S+)
FORMAT=process::$1 dhcp_message::$2 src_ip::$3 dest_int::$4
[dhcpack_type2]
REGEX='s(dhcpd)'[[0-9]+']':'s(DHCPACK)'sto's('S+)'s(?:'(([^')]+)')'s)?via's('S+)
FORMAT=process::$1 dhcp_message::$2 src_ip::$3 src_mac::$4 dest_int::$5
[dhcprequest]
REGEX='s(dhcpd)'[[0-9]+']':'s(DHCPREQUEST)'sfor's('S+)'s(?:'(([^')]+)')'s)?from's('S+)'s(?:'(([^')]+)')'s)?via's('S+)
FORMAT=process::$1 dhcp_message::$2 src_ip::$3 src_nat_ip::$4 src_mac::$5 src_host::$6 dest_int::$7
I've fixed it.
You have to change all the regex in transform.conf
from:
\s(dhcpd):\s
to:
\sdhcpd(:\s|[\d+]:\s)
and change the following line in: eventtypes.conf
from:
[dhcpd_event]
search = process=dhcpd
to:
[dhcpd_event]
search = dhcpd
The latest infoblox TA supports DHCP as a sourcetype:
sourcetype=infoblox:dhcp
eventtype=infoblox_dns
eventtype=infoblox_session_start
eventtype=infoblox_session_end
Check out the documentation here: http://docs.splunk.com/Documentation/AddOns/latest/Infoblox/Sourcetypes
TA is available here: https://splunkbase.splunk.com/app/2934/#/overview
When you use ', do you mean \? If not, none of these REGEXes are good.
In [dhcpinform], do you get the variable process? If so, you have to look for error after and if not, then the entire regex is bad.
Are timestamps extracted correctly after your syslog-related changes?
In general, I would start working with the REGEX one capture group at a time.
Have you also updated the transform for [set-dhcpd-sourcetype]? Near the top of the transforms file, you also need to update the regex so it reads:
[set-dhcpd-sourcetype]
REGEX=|sdhcpd|[[0-9]+|]|:|s
(I replaced slashes with the pipe character)