Update MAC address field with leading zeros

kamils85 · July 7, 2021, 12:26pm

Hello,

I have successfully managed to extract some fields from the message below:

DHCPDISCOVER from f0:2f:74:1a:d8:94 circuit-id 1:f6:1:7 remote-id 8c:ea:1b:9c:f:ca via 185.x.x.2: network 185.x.x.0/24: no free leases

Now I am facing a problem that the extracted remote-id field (which is the MAC address 8c:ea:1b:9c:f:ca) comes with stripped leading zeros (5th octet in this case).
I was hoping I could possibly use a pipeline or any other feature to update and add the leading zeros so it looks like this:
8c:ea:1b:9c:0f:ca and override that field with updated value.

I would appreciate if someone can point me out which function would help me accomplish my goal.

gsmith · July 7, 2021, 11:29pm

Hello && welcome

Perhaps is this what you looking for?

kamils85 · July 8, 2021, 6:44am

Thanks @gsmith for sharing this. This is a different problem as this guy had a problem with catching the MAC address via regex and I have accomplished this via GROK pattern.
I am step ahead. I am trying to enrich my extracted MAC address to add the leading zero wherever it’s missing (unfortunately the dhcpd truncates the leading zeros…) and I am not sure how to do it.

I came up with a logic that I would split the MAC address into 6 octets (which I did using the split function and that’s where I am stuck), then I would probably check which octet is a single character and I would add a 0 in front of it. Then join it all together.

I am not very language scripting person so I am looking for someone to give me a hint on which functions should I look into.

tmacgbay · July 8, 2021, 12:30pm

I would look at the regex_replace() function where you are looking for a single number/letter surrounded by “:”… you may want to temporarily attach a : to both ends to make the regex easier - or you could break it into constituent pieces and regex_replace each if it only finds one number/letter… oh for looping in graylog rules … its ugly but it could work.

kamils85 · July 8, 2021, 1:55pm

@tmacgbay that’s definitely a way to go.
This is the test code for now:

  let octet = split(":", to_string($message.dhcpd_remote_id));
  let regex0 = regex_replace("^([0-9a-fA-F])$",to_string(octet[0]),"0$1");
  let regex1 = regex_replace("^([0-9a-fA-F])$",to_string(octet[1]),"0$1");
  let regex2 = regex_replace("^([0-9a-fA-F])$",to_string(octet[2]),"0$1");
  let regex3 = regex_replace("^([0-9a-fA-F])$",to_string(octet[3]),"0$1");
  let regex4 = regex_replace("^([0-9a-fA-F])$",to_string(octet[4]),"0$1");
  let regex5 = regex_replace("^([0-9a-fA-F])$",to_string(octet[5]),"0$1");

It’s ugly but it does the job. Now, is there a smarter way of joining all the regex1-5 together apart from using a concat 100x times?

tmacgbay · July 8, 2021, 4:03pm

That would be nice - but not that I am aware of - it is definitely a lacking feature.

kamils85 · July 9, 2021, 3:10pm

Right, this is the code. Not pretty but does the job. If you know a way I can simplify this I would really appreciate it.

rule "dhcpd_remote_id_mac_add_leading_zeros"
when
  has_field("dhcpd_remote_id")
then
  let octet = split(":", to_string($message.dhcpd_remote_id));
  let regex0 = regex_replace("^([0-9a-fA-F])$",to_string(octet[0]),"0$1");
  let regex1 = regex_replace("^([0-9a-fA-F])$",to_string(octet[1]),"0$1");
  let regex2 = regex_replace("^([0-9a-fA-F])$",to_string(octet[2]),"0$1");
  let regex3 = regex_replace("^([0-9a-fA-F])$",to_string(octet[3]),"0$1");
  let regex4 = regex_replace("^([0-9a-fA-F])$",to_string(octet[4]),"0$1");
  let regex5 = regex_replace("^([0-9a-fA-F])$",to_string(octet[5]),"0$1");
  let build_new_rid_1 = concat(regex0, ":"); // 00:
  let build_new_rid_2 = concat(build_new_rid_1, regex1); // 00:11
  let build_new_rid_3 = concat(build_new_rid_2, ":"); // 00:11:
  let build_new_rid_4 = concat(build_new_rid_3, regex2); // 00:11:22
  let build_new_rid_5 = concat(build_new_rid_4, ":"); // 00:11:22:
  let build_new_rid_6 = concat(build_new_rid_5, regex3); // 00:11:22:33
  let build_new_rid_7 = concat(build_new_rid_6, ":"); // 00:11:22:33:
  let build_new_rid_8 = concat(build_new_rid_7, regex4); // 00:11:22:33:44
  let build_new_rid_9 = concat(build_new_rid_8, ":"); // 00:11:22:33:44:
  let build_new_rid_10 = concat(build_new_rid_9, regex5); // 00:11:22:33:44:55
  set_field("dhcpd_remote_id", build_new_rid_10);
end

I have noticed there is also a join function which I think I could possibly use but I could not find in documentation nor examples on how to use it.

join(elements, [delimiter], [start], [end]) : String	Joins the elements of the provided array into a single String

Anyway, many thanks guys for the suggestions as this actually got me sorted.

system · July 23, 2021, 3:11pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Regex extractor not working Graylog Central (peer support)	11	1002	July 20, 2021
Replace Values in Extracted Field Graylog Central (peer support)	3	1723	August 14, 2019
Regular exception MAC address Graylog Central (peer support)	6	2783	November 13, 2017
Extract the hostname Graylog Central (peer support)	4	2037	July 19, 2021
Extract first valid MAC address from a String with Regex Graylog Central (peer support)	9	2202	April 14, 2020

Update MAC address field with leading zeros

Related topics