How to parse optional fields in dhcp lease logs?

Elastic Stack Logstash
1

I want help in parsing of optional fields

lease 1.1.1.1 {
  starts 5 2025/02/14 05:32:50;
  ends 5 2025/02/14 05:37:55;
  tstp 5 2025/02/14 05:37:55;
  cltt 5 2025/02/14 05:37:54;
  binding state free;
  hardware ethernet 58:96:71:a5:89:f4;
  uid "\001X\226q\245\211\364";
}


lease 1.1.1.1 {
  starts 5 2025/02/14 05:38:59;
  ends 0 2025/03/16 05:38:59;
  cltt 5 2025/02/14 05:38:59;
  binding state active;
  next binding state free;
  rewind binding state free;
  hardware ethernet d8:32:e3:20:0b:01;
  uid "\001\3302\343 \013\001";
  set vendor-class-identifier = "android-dhcp-9";
  client-hostname "RedmiNote5Pro-Redmi";
}

Following is the grok pattern in which some fields sometimes comes and sometimes doesn't come.

How to make it in a way that even if the field doesn't come other fields should still be parsed.

lease %{IP:ip_address} \{
  starts %{NUMBER} (?<starts>%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND});
  ends %{NUMBER} (?<ends>%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND});
  tstp %{NUMBER} (?<tstp>%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND});
  cltt %{NUMBER} (?<cltt>%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND});
  binding %{GREEDYDATA:binding};
  next %{GREEDYDATA:next};
  rewind %{DATA:rewind};
  hardware ethernet %{GREEDYDATA:hardware};
  uid %{GREEDYDATA:uid};
  set vendor-class-identifier = %{DATA:vendor-class-identifier};
  client-hostname %{GREEDYDATA:client-hostname};
}
2

how is this different from the Q you already posted?

3

I would use grok with break_on_match set to false and an array of patterns like

'uid "(?<uid>[^;]*)";',
'ends (?<ends>[^;]*);',

to pull out one line at a time.

4

both are same

5

not working

6

suggest something else

1 Like