Grok Pattern to add missing characters to a mac address


(Martinrw) #1

Hi

I'm attempting to use grok patterns in my logstash config to tokenise output from dhcpd.
I have successfully managed it apart form one bit... DHCPD sometimes removes leading 0's from Mac addresses, specifically on the COMMIT messages

The log line we get looks like this:

"Jul 20 09:51:45 dhcp-server dhcpd[19674]: DHCPCOMMIT: IP: 100.101.102.103 MAC: 0:f:84:5a:f0:e0 Option82: 172.16.16.16 eth 000021/024:0100 LT: 3600"

my grok pattern looks like this

        grok {
      match => [ "syslog_message", "(?<dhcp_action>.*): IP: %{IP:dhcp_ip}.* MAC: %{NOTSPACE:dhcp_mac_address}.* Option82: %{GREEDYDATA:dhcp_option_82_data}.* LT: %{INT:dhcp_lt}" ]
    }

which means I now have a field called dhcp_mac_address with the value "0:f:94:54:f0:e0"

What can I do here to change that to "00:0f:94:54:f0:e0"

The general pattern is that for each section of the mac address, if there is only one character then put a 0 in front of it.

Thanks in advance


#2

There has to be a better way, but this will do it.

    ruby {  
        code => '
            s = ""
            a = event.get("dhcp_mac_address").split(":").each { |x|
                s += sprintf("%02x", x.to_i(16)) + ":"
            }
            event.set("dhcp_mac_address2", s[0..-2])
        '
    }

(Martinrw) #3

Thanks Badger, that worked.

I may also investigate fixing the issue at source - https://kb.isc.org/article/AA-01039/0/Formatting-MAC-addresses-in-dhcpd-or-why-does-binary-to-ascii-strip-leading-zeroes.html
but until then this seem alright.

Cheers


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.