So I have a situation where all my logs come in via syslog (sourcetype=syslog, source=udp:514) and are lumped together. The first this I would like to do is to extract a mac address for reporting that can occur anywhere in a dhcpd message. I'm unable to figure out how to flag this easily. Any one have any thoughts? Here are a few examples:
dhcpd: DHCPACK on 10.100.10.12 to 00:00:00:00:00:00 via 10.10.10.10
dhcpd: DHCPREQUEST for 10.20.44.2 from via 10.10.10.12
dhcpd: DHCPDISCOVER from 00:00:00:00:00:00 via 10.44.21.10: network 10.21.23.3/21: no free leases
The other issue at play here is we may want to do this at index time. Is there any easy way to do this since everything is sourcetype=syslog and lumped in with a large number of other types of unrelated log messages (routers, switches, etc).
try something like this tat will handle multiple formats.
and format without any separators.
| rex "(?<mac>[a-fA-F0-9\.:-]{12,17})"
| rex field=mac mode=sed "s/(\.|:|-)//g"
Can you explain why you want to do it at index-time?
the apps for has got it all : DHCPD App, did you have a look at it?
This app has gone mysteriously missing recently 😞