I’m having some trouble extracting client IPs from my DHCP logs. As DHCP logs will typically contain both the IP being requested as well as the IP the request is coming from (DHCP server or relay), I’m trying to target the IP that follows various keywords. For example:
DHCPOFFER on 192.168.129.204 to XX:XX:XX:XX:XX:XX (ClientHost) via 192.168.129.193
In this case, I want the .204 and not the .193.
My regex is as follows:
regex("(from|for|on|to) ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})"
The problem starts with the periods. If I escape them with a single backslash (I want to literally match periods), the web editor throws a syntax/formatting error. If I take the backslashes out, they never match (I’m presuming because the dot is being interpreted as regex and not as a literal character).
My overall pipeline rule looks like this:
Rule "DHCP Client IPv4"
when
regex("(from|for|on|to) ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})", to_string($message.message)).matches == true
then
let result = regex("(from|for|on|to) ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})", to_string($message.message));
set_field("client_ip", result["1"]);
end