Post by Terry L. InzauroI am trying to derive a method of retaining the MAC/IP combinations (and
maybe other information) for all successful leases for compliance and
auditing purposes. Basically, in the public sector, I have to be able to
tell law enforcement who (which mac addres) had obtained an address and at
what time (to the best of my knowledge).
At first I envisioned a script being ran upon a successful lease that would
log various info to SQL or something like that. I thought this method would
be possible based on the section called 'REFERENCE: EVENTS' (in man 5
dhcpd.conf) but I am finding a lack of documentation or examples on that
particular subject.
Perhaps I am making something out of nothing. Is this problem simply a
matter tuning syslog-ng to log all DHCPD related messages to a log that is
later archived indefinitely?
I use the syslog method, with this config block in my dhcpd config:
on commit { if (static) {
log (info, concat (
"DHCPNETMON ",
binary-to-ascii (10,32,"",encode-int (lease-time,32))," ",
substring (binary-to-ascii (16,8,":",hardware), 2,17)," ",
binary-to-ascii (10,8,".",leased-address)," ",
pick-first-value(host-decl-name, "(none)"),
" static"));
} else {
log (info, concat (
"DHCPNETMON ",
binary-to-ascii (10,32,"",encode-int (lease-time,32))," ",
substring (binary-to-ascii (16,8,":",hardware), 2,17)," ",
binary-to-ascii (10,8,".",leased-address), " ",
pick-first-value(ddns-fwd-name, "(none)"),
" dynamic"));
}
}
This gets both static and dynamic leases, and also lets me filter on exactly
the log messages that I want via the DHCPNETMON tag (easy enough to change to
something more meaningful in your environment, of course).
You should be aware, though, that this only tells you what address was
assigned to a host, not necessarily what address was actually in use by any
given host. Other factors, such as static configurations and rouge DHCP
servers, can make reality out of sync with your records. I'd highly recommend
that you look into some way of tracking ARP tables on your routers as well, so
that you have a record of what was actually in use.
--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC