So I have a situation where all my logs come in via syslog (sourcetype=syslog, source=udp:514) and are lumped together. The first this I would like to do is to extract a mac address for reporting that can occur anywhere in a dhcpd message. I'm unable to figure out how to flag this easily. Any one have any thoughts? Here are a few examples:
dhcpd: DHCPACK on 10.100.10.12 to 00:00:00:00:00:00 via 10.10.10.10
dhcpd: DHCPREQUEST for 10.20.44.2 from via 10.10.10.12
dhcpd: DHCPDISCOVER from 00:00:00:00:00:00 via 10.44.21.10: network 10.21.23.3/21: no free leases
The other issue at play here is we may want to do this at index time. Is there any easy way to do this since everything is sourcetype=syslog and lumped in with a large number of other types of unrelated log messages (routers, switches, etc).
... View more