New use case: DHCP

[willemdh]

Are there any plans yet for a DNS and DHCP object? I'm maintaining the Infoblox grok patterns here:

https://github.com/willemdh/logstash_filter_infoblox

These should also probabaly be migrated to ECS to some day.

[praseodym]

#10 covers DNS query logging, the Infoblox logging contains a bit more through (updates etc.)

[willemdh]

Ok, thanks. Renamed this issue a bit. I'll make sure to doublecheck #10 for any DNS related fields (once I get to it).

[ruflin]

@willemdh Would be great if you could share some example fields you are looking for. I know there is a template in the logstash filter you linked but having it all here should make things easier.

[andrewkroh]

Here a sample of the DHCP field data we have in Packetbeat at the moment.

    "dhcpv4": {
      "option": {
        "utc_time_offset_sec": -18000,
        "subnet_mask": "255.255.255.128",
        "ntp_servers": [
          "10.0.0.1",
          "10.0.0.2"
        ],
        "domain_name": "local.domain.com",
        "dns_servers": [
          "10.0.0.1",
          "10.0.0.2"
        ],
        "rebinding_time_sec": 3150,
        "message_type": "ack",
        "server_identifier": "10.0.0.1",
        "ip_address_lease_time_sec": 3600,
        "router": "10.0.7.1",
        "renewal_time_sec": 1800
      },
      "hops": 0,
      "flags": "unicast",
      "client_mac": "30:ee:dd:cc:aa:dd",
      "transaction_id": "0x699926d4",
      "assigned_ip": "10.0.7.17",
      "op_code": "bootreply",
      "hardware_type": "Ethernet",
      "client_ip": "10.0.7.17",
      "seconds": 0
    }

[willemdh]

Ok, I'll edit this issue a bit and let's keep this one for dhcp related fields. We can continue discussion of dns in #10. Dhcp is higher level discussion then Infoblox.

[vbohata]

Currently I am in phase of naming fields for our DHCP logs. I've decided for following naming:

client.host.name
client.host.ip
client.host.mac
dhcp.client.uid
network.cidr
dhcp.operation.name
dhcp.operation.detail
dhcp.operation.result
dhcp.relay.interface
dhcp.relay.ip
dhcp.via.interface
dhcp.via.ip
dhcp.lease.duration_s
dhcp.lease.offered_duration_s
dhcp.lease.status
dhcp.transaction.id

I am not sure if operation should be prefixed with dhcp, but honestly I think it is highly DHCP related (contains something like ACK;RENEW;no free leases) and no one will need to compare it with another app's logs.

[jeffrysleddens]

Currently I am in phase of naming fields for our DHCP logs. I've decided for following naming:

client.host.name
client.host.ip
client.host.mac

These are not right according to the ECS 1.0.0 spec. client.host.ip should be client.ip and client.host.mac should be client.mac. There is no hostname field within the client field group, not sure where to place this as it is not a hostname but more a free field device name.

[Aqualie]

Is there any timeline for introducing this featureset ?

[jamiehynds]

@P1llus may be worth looking at some of the suggested DHCP fields here, as we work through the Microsoft DHCP mappings.

[jamiehynds]

DHCP pipeline available here for reference, as we consider a DHCP fieldset: https://github.com/elastic/integrations/blob/master/packages/microsoft_dhcp/data_stream/log/elasticsearch/ingest_pipeline/default.yml