Extracting client IP from DHCP logs

I’m having some trouble extracting client IPs from my DHCP logs. As DHCP logs will typically contain both the IP being requested as well as the IP the request is coming from (DHCP server or relay), I’m trying to target the IP that follows various keywords. For example:

DHCPOFFER on 192.168.129.204 to XX:XX:XX:XX:XX:XX (ClientHost) via 192.168.129.193

In this case, I want the .204 and not the .193.

My regex is as follows:

regex("(from|for|on|to) ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})"

The problem starts with the periods. If I escape them with a single backslash (I want to literally match periods), the web editor throws a syntax/formatting error. If I take the backslashes out, they never match (I’m presuming because the dot is being interpreted as regex and not as a literal character).

My overall pipeline rule looks like this:

    Rule "DHCP Client IPv4"
    when
        regex("(from|for|on|to) ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})", to_string($message.message)).matches == true
    then
        let result = regex("(from|for|on|to) ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})", to_string($message.message));
        set_field("client_ip", result["1"]);
    end

This is what I ended up with, and it works as anticipated.

Rule "DHCP Client IPv4 Address"
when
    regex("DHCP(ACK|INFORM|OFFER|REQUEST|)\\s+(from|for|on|to)\\s+([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})", to_string($message.message)).matches == true
then
    let result = regex("DHCP(ACK|INFORM|OFFER|REQUEST|)\\s+(from|for|on|to)\\s+([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})", to_string($message.message));
    set_field("client_ip", result["2"]);
end

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.