Skip to content

[microsoft_dhcp] Add more event.action and event.outcome values #2296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 4, 2022
Merged

[microsoft_dhcp] Add more event.action and event.outcome values #2296

merged 2 commits into from
Jan 4, 2022

Conversation

@pemontto
Copy link
Contributor

@pemontto pemontto commented Dec 1, 2021

What does this PR do?

This PR adds more MS DHCP action types and uses those codes to determine failure outcomes.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Related issues

elastic/beats#29221
@elasticmachine
Copy link

elasticmachine commented Dec 1, 2021
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-01-04T16:12:24.272+0000

  • Duration: 14 min 42 sec

  • Commit: bc8915f

Test stats 🧪

Test Results
Failed 0
Passed 5
Skipped 0
Total 5

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.
@elasticmachine
Copy link

elasticmachine commented Dec 2, 2021

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
@jamiehynds jamiehynds added enhancement New feature or request Integration:microsoft_dhcp Microsoft DHCP labels Dec 2, 2021
@jamiehynds
Copy link

jamiehynds commented Dec 3, 2021

@P1llus some nice additions to your DHCP pipeline. Thanks for the PR @pemontto :)
@P1llus
Copy link
Member

P1llus commented Dec 6, 2021

Much appreciated @pemontto ! 👍

Do you happen to have any sample loglines that I can add tests for? If not I can go ahead and merge it.

I might need to make some small commits to the PR to resolve CI that's all.
@P1llus
Copy link
Member

P1llus commented Dec 6, 2021

/test
@pemontto
Copy link
Contributor Author

pemontto commented Dec 6, 2021

@P1llus yes, forgot to link the ticket elastic/beats#29221

Here are some selected samples

ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID,Dhcid,VendorClass(Hex),VendorClass(ASCII),UserClass(Hex),UserClass(ASCII),RelayAgentInformation,DnsRegError. 10,11/11/21,18:10:19,Assign,10.0.0.130,testhost130.example.COM,01234123,,1058693708,0,,,,0xDEADBEEF1,MSFT 5.0,,,,0 11,11/15/21,00:29:56,Renew,10.0.0.129,testhost1.example.com,01234123,,091234101,0,,,,,,,,,0 11,11/15/21,00:56:45,Renew,10.0.0.115,testhost6.example.com,01234123,,091234101,0,,,,0xDEADBEEF2,MSFT 5.0,,,,0 11,11/15/21,00:56:47,Renew,10.0.0.119,testhost4.example.com,01234123,,091234100,0,,,,0xDEADBEEF3,MSFT 5.0,,,,0 15,11/11/21,20:13:08,NACK,10.0.0.131,,98765431,,0,6,,,,,,,,,0 15,11/17/21,15:52:55,NACK,,,01234123,,0,6,,,,,,,,,0 16,11/12/21,02:51:58,Deleted,10.0.0.131,,,,0,6,,,,,,,,,0 17,11/20/20,00:00:05,DNS record not deleted,10.0.0.1,,,,0,6,,,,,,,,,0 18,11/11/21,22:51:57,Expired,10.0.0.131,,,,0,6,,,,,,,,,0 24,11/15/21,00:00:06,Database Cleanup Begin,,,,,0,6,,,,,,,,,0 25,11/15/21,00:00:06,0 leases expired and 0 leases deleted,,,,,0,6,,,,,,,,,0 30,11/20/20,00:00:05,DNS Update Request,10.0.0.2,hostname2.contoso.com,,,0,6,,,,,,,,,0 30,11/20/20,00:00:05,DNS Update Request,10.0.0.3,hostname3.contoso.com,,,0,6,,,,,,,,,0 31,11/20/20,00:00:05,DNS Update Failed,10.0.0.4,hostname4.contoso.com,,,0,6,,,,,,,,,9005 32,11/21/21,23:55:51,DNS Update Successful,10.0.0.217,hostname217.contoso.com,,,0,6,,,,,,,,,0 55,11/20/21,22:57:36,Authorized(servicing),,EXAMPLE.COM,,,0,6,,,,,,,,,0
@andrewkroh andrewkroh changed the title 🔧 Add more actions and outcomes for MS DHCP [microsoft_dhcp] Add more event.action and event.outcome values Dec 7, 2021
@andrewkroh
Copy link
Member

andrewkroh commented Dec 7, 2021

For reference these are the Event ID meanings I have in my log header.

Event ID Meaning
00 The log was started.
01 The log was stopped.
02 The log was temporarily paused due to low disk space.
10 A new IP address was leased to a client.
11 A lease was renewed by a client.
12 A lease was released by a client.
13 An IP address was found to be in use on the network.
14 A lease request could not be satisfied because the scope's address pool was exhausted.
15 A lease was denied.
16 A lease was deleted.
17 A lease was expired and DNS records for an expired leases have not been deleted.
18 A lease was expired and DNS records were deleted.
20 A BOOTP address was leased to a client.
21 A dynamic BOOTP address was leased to a client.
22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
23 A BOOTP IP address was deleted after checking to see it was not in use.
24 IP address cleanup operation has began.
25 IP address cleanup statistics.
30 DNS update request to the named DNS server.
31 DNS update failed.
32 DNS update successful.
33 Packet dropped due to NAP policy.
34 DNS update request failed.as the DNS update request queue limit exceeded.
35 DNS update request failed.
36 Packet dropped because the server is in failover standby role or the hash of the client ID does not match.
50+ Codes above 50 are used for Rogue Server Detection information.
andrewkroh
andrewkroh reviewed Dec 7, 2021
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version in the manifest.yml needs updated and an entry added to the changelog.yml.
andrewkroh
andrewkroh reviewed Dec 9, 2021
View reviewed changes
@andrewkroh
Copy link
Member

andrewkroh commented Jan 4, 2022

/test

The version in the manifest.yml needs updated and an entry added to the changelog.yml. And the pipeline test expected output files probably need updated too.
taylor-swanson
taylor-swanson reviewed Jan 4, 2022
View reviewed changes
packages/microsoft_dhcp/data_stream/log/elasticsearch/ingest_pipeline/default.yml Outdated
Copy link
Contributor

@taylor-swanson taylor-swanson Jan 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a note, I am working on adding DHCPv6 support (#2136) and it uses event IDs above 50 (some around 1000 and others around 11000). We'll need to clamp this check with some upper bound, but I'm not entirely sure what that'd be. I'm not sure how close this is to merging, but we can wait to add the upper bound for my DHCPv6 PR.

There's another check below (which seems wrong actually):

ctx._tmp_?.code >= 50 && ctx._tmp_?.code >= 60

I think the >= 60 part is wrong, but regardless, that will also need to be clamped by some upper bound that doesn't conflict with DHCPv6 event IDs.
@andrewkroh
Copy link
Member

andrewkroh commented Jan 4, 2022

I updated the generated test files, incremented the version, and added a changelog. This should be good to merge now.
@andrewkroh andrewkroh merged commit 74a2c2d into elastic:master Jan 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request Integration:microsoft_dhcp Microsoft DHCP

6 participants

@pemontto @elasticmachine @jamiehynds @P1llus @andrewkroh @taylor-swanson