Hi
I'm attempting to use grok patterns in my logstash config to tokenise output from dhcpd.
I have successfully managed it apart form one bit... DHCPD sometimes removes leading 0's from Mac addresses, specifically on the COMMIT messages
The log line we get looks like this:
"Jul 20 09:51:45 dhcp-server dhcpd[19674]: DHCPCOMMIT: IP: 100.101.102.103 MAC: 0:f:84:5a:f0:e0 Option82: 172.16.16.16 eth 000021/024:0100 LT: 3600"
my grok pattern looks like this
grok {
match => [ "syslog_message", "(?<dhcp_action>.*): IP: %{IP:dhcp_ip}.* MAC: %{NOTSPACE:dhcp_mac_address}.* Option82: %{GREEDYDATA:dhcp_option_82_data}.* LT: %{INT:dhcp_lt}" ]
}
which means I now have a field called dhcp_mac_address with the value "0:f:94:54:f0:e0"
What can I do here to change that to "00:0f:94:54:f0:e0"
The general pattern is that for each section of the mac address, if there is only one character then put a 0 in front of it.
Thanks in advance