Extracting client IP from DHCP logs

I’m having some trouble extracting client IPs from my DHCP logs. As DHCP logs will typically contain both the IP being requested as well as the IP the request is coming from (DHCP server or relay), I’m trying to target the IP that follows various keywords. For example:

DHCPOFFER on to XX:XX:XX:XX:XX:XX (ClientHost) via

In this case, I want the .204 and not the .193.

My regex is as follows:

regex("(from|for|on|to) ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})"

The problem starts with the periods. If I escape them with a single backslash (I want to literally match periods), the web editor throws a syntax/formatting error. If I take the backslashes out, they never match (I’m presuming because the dot is being interpreted as regex and not as a literal character).

My overall pipeline rule looks like this:

    Rule "DHCP Client IPv4"
        regex("(from|for|on|to) ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})", to_string($message.message)).matches == true
        let result = regex("(from|for|on|to) ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})", to_string($message.message));
        set_field("client_ip", result["1"]);

This is what I ended up with, and it works as anticipated.

Rule "DHCP Client IPv4 Address"
    regex("DHCP(ACK|INFORM|OFFER|REQUEST|)\\s+(from|for|on|to)\\s+([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})", to_string($message.message)).matches == true
    let result = regex("DHCP(ACK|INFORM|OFFER|REQUEST|)\\s+(from|for|on|to)\\s+([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})", to_string($message.message));
    set_field("client_ip", result["2"]);

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.