That is correct. Thank you for your help.
Original Message:
Sent: 08-02-2024 15:01
From: Nikolay Semov
Subject: DHCPD log filtering for MAC+IP on same line
The log line looks something like this (it will look different if you enable structured-data):
DH_SVC_V4_SERVER_GET_BOUND: DHCPv4 server changed a binding to state BOUND:default/default, interface ge-0/0/6.0, MAC aa:bb:cc:dd:ee:ff, IP 100.100.100.11, lease-time 150.
Try any any instead of daemon any. Also, match at least DH_SVC_ rather than just DH, lest you get tons of other garbage that may have the "dh" sequence.
Also, just to clarify, this is the newer JDHCP server (enabled in system and configured in access address-assignment) and not the old DHCP daemon that's configured only in system.
------------------------------
Nikolay Semov
Original Message:
Sent: 08-02-2024 14:45
From: G_H
Subject: DHCPD log filtering for MAC+IP on same line
That sounds hopeful. How does that materialize in the actual log files? I have the below with no messages from jdhcpd:
set system syslog file dhcp daemon any
set system syslog file dhcp match "(dh|DH)"
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file messages security info
set system syslog file policy any any
set system syslog file policy match RT_FLOW_SESSION
------------------------------
G H
Original Message:
Sent: 08-02-2024 14:26
From: Nikolay Semov
Subject: DHCPD log filtering for MAC+IP on same line
Rather than traceoptions, enable JDHCP server logging with set system processes dhcp-service log session server. If that command is not available for you, please make sure you're running a recent version of JunOS as it was introduced only a few years ago in 19.1R1.
Once logging is enabled, you can have the syslog configuration sending stuff to your Splunk host match messages with regexp .*DH_SVC_V._SERVER.* You may need to adjust the regular expression to suit your needs as the example I provided may match more events than you want.
------------------------------
Nikolay Semov
Original Message:
Sent: 08-02-2024 10:00
From: G_H
Subject: DHCPD log filtering for MAC+IP on same line
What is the proper way to get a log file that contains only MAC->IP address assignments via the DHCP server as they are assigned?
I have the below config but the MAC address is not showing up 100% of the time, and the the log line that the mac address is on is not on the same line as the IP address. I am trying to get both mac and IP to show up in a single log line show I can easily parse it with Splunk.
set system processes dhcp-service traceoptions file jdhcp-clients
set system processes dhcp-service traceoptions file size 5m
set system processes dhcp-service traceoptions level info
set system processes dhcp-service traceoptions flag all
------------------------------
G H
------------------------------