DHCP: Logging host declarations in log file
I am currently running ISC-DHCP server v3 on Ubuntu 8.04. What I am trying to do is log Who got what IP address when.
Currently in the DHCP log file you can see the following:
DHCPDISCOVER from d0:50:56:ac:74:71 via eth0
DHCPOFFER on 208.x.x.75 to d0:50:56:ac:74:71 via eth0
DHCPREQUEST for 208.x.x.75 (172.18.1.2) from d0:50:56:ac:74:71 via eth0
DHCPACK on 208.x.x.75 to d0:50:56:ac:74:71 via eth0
I would like to get to the point where I see this or something simular:
DHCPDISCOVER from d0:50:56:ac:74:71 via eth0
DHCPOFFER on 208.x.x.75 to d0:50:56:ac:74:71 via eth0
DHCPREQUEST for 208.x.x.75 (172.18.1.2) from d0:50:56:ac:74:71 via eth0
DHCPACK on 208.x.x.75 to d0:50:56:ac:74:71 (TestPC001) via eth0
I need to log the host who got the IP address when (the log file has time stamps but I removed them for this post) for historical purposes.
In my dhcpd.conf file I have the following host declaration:
host TestPC001 {
hardware ethernet d0:50:56:ac:74:71;
fixed-address 208.x.x.75;
}
If anyone knows how to do this with DHCP3 that would be great, I am open to suggestions on 3rd party apps that will do this. One thing to note, the dhcpd.conf file is generated dynamically using a 3rd party app that does RADIUS, so the host declarations can and will change so I can not simply just look at the file if there is a problem with someone on the network and get their name.
I have figured it out.
Adding the following to the dhcpd.conf file
if known {
log (info, concat ("HOSTNAME: ", host-decl-name, " on ",binary-to-ascii (10, 8, ".", leased-address)," at ", binary-to-ascii (16, 8, ":", substring (hardware, 1, 6))));
}
Will result in (I have removed timestamps for neatness):
HOSTNAME: TestPC001 on 208.x.x.75 at d0:50:56:ac:74:71
DHCPDISCOVER from d0:50:56:ac:74:71 via eth0
DHCPOFFER on 208.x.x.75 to d0:50:56:ac:74:71 via eth0
DHCPREQUEST for 208.x.x.75 (172.18.1.2) from d0:50:56:ac:74:71 via eth0
DHCPACK on 208.x.x.75 to d0:50:56:ac:74:71 via eth0
ISC DHCP stores the allocated leases in a file (typically /var/run/dhcp/dhcpd.leases or similar).
The content of the leases file is documented:
http://linux.die.net/man/5/dhcpd.leases
and there is a Perl module available to parse the contents of the leases file:
http://search.cpan.org/~cvicente/Text-DHCPLeases-v0.3/lib/Text/DHCPLeases.pm
All of the information you seek is in the leases file, so you could easily write a program to parse out the data and store it somewhere for history. If you're not looking to do this in realtime, you can probably just run it no less often than half your lease time less a bit (as clients are expected to renew their lease at the halfway mark).
I expect that the parsing would be so lightweight that you could just run it frequently without worry. You could also get fancy by running md5sum on the file, storing the output of that somewhere, then checking for changes once a minute and copying the lease file to a directory where a program could analyze it whenever it changed.
ISC DHCPD does log the client name, as long as the client includes its hostname in the DHCP request.
You don't mention which OS your clients are running. Linux clients generally don't include their hostname in the DHCP request, so you need to add
send host-name "hostname";
to your /etc/dhcp3/dhclient.conf
. (Your distribution may be configured differently.)
Windows clients include their computer name in the DHCP request.
Und debian/etch I glued dhcp3 and bind with dnssec. So dhcp send the client hostname to bind, which updates dns-zones.
Her I get something like that from a stock Windows XP
# tail -13 /var/lib/dhcp3/dhcpd.leases
lease 10.28.0.155 {
starts 3 2009/07/08 05:14:45;
ends 3 2009/07/08 06:14:45;
cltt 3 2009/07/08 05:14:45;
binding state active;
next binding state free;
hardware ethernet 00:08:54:37:48:a6;
uid "\001\000\010T7H\246";
set ddns-rev-name = "155.0.28.10.in-addr.arpa.";
set ddns-txt = "31b6fa94a1ef1702e6eed6bef3a9fd6f31";
set ddns-fwd-name = "PC18.mydomain.lan";
client-hostname "PC18";
}
And in the /var/log/daemon.log
Jul 8 07:14:45 ServerName dhcpd: DHCPOFFER on 10.28.0.155 to 00:08:54:37:48:a6 (PC18) via eth1
Jul 8 07:14:45 ServerName named[12354]: client 127.0.0.1#53673: updating zone 'mydomain.lan/IN': adding an RR at 'PC18.mydomain.lan' A
Jul 8 07:14:45 ServerName named[12354]: client 127.0.0.1#53673: updating zone 'mydomain.lan/IN': adding an RR at 'PC18.mydomain.lan' TXT
Jul 8 07:14:45 ServerName dhcpd: Added new forward map from PC18.mydomain.lan to 10.28.0.155
Jul 8 07:14:45 ServerName named[12354]: client 127.0.0.1#53673: updating zone '0.28.10.in-addr.arpa/IN': deleting rrset at '155.0.28.10.in-addr.arpa' PTR
Jul 8 07:14:45 ServerName named[12354]: client 127.0.0.1#53673: updating zone '0.28.10.in-addr.arpa/IN': adding an RR at '155.0.28.10.in-addr.arpa' PTR
Jul 8 07:14:45 ServerName dhcpd: added reverse map from 155.0.28.10.in-addr.arpa. to PC18.mydomain.lan
Jul 8 07:14:45 ServerName dhcpd: Wrote 76 leases to leases file.
Jul 8 07:14:45 ServerName dhcpd: DHCPREQUEST for 10.28.0.155 (10.28.0.1) from 00:08:54:37:48:a6 (PC18) via eth1
Jul 8 07:14:45 ServerName dhcpd: DHCPACK on 10.28.0.155 to 00:08:54:37:48:a6 (PC18) via eth1
Jul 8 07:16:07 ServerName dhcpd: DHCPINFORM from 10.28.0.155 via eth1
Jul 8 07:16:07 ServerName dhcpd: DHCPACK to 10.28.0.155 (00:08:54:37:48:a6) via eth1
So I suggest you settup DNSSEC: google for DNSSEC Howto