Hello,
I am tracking dynamic IP computers. How can I add a field or column for MAC address so I know what which traffic belongs to which computer.
Hi,
I'm not sure if i understand the request. The syslog protocol itself doesn't support MAC address info (see e.g. RFC 5424 - The Syslog Protocol). And the software can't figure it out even from network traffic as source MAC address changes with each hop.
Regards,
Jiri
Thanks.
Jiri is correct that the software cannot track this and that it becomes irrelevent after the 1st hop, but that's not to say it cannot be done at all, if all of your machines that you want to track are on the same subnet and do not travel through a Router or Firewall.
If the machines you are looking to track are communicating to your copy of Syslog, then you have their IP address currently. It's Dynamic as you say, so that means nothing to you, but if you already know the mac addresses then it becomes simple (relatively speaking) to track which messages come from which machines regardless of IP address.
On every message you receive, run a script, check the IP address source of the message. Have the script run an ARP command from the command prompt and check the results to match a MAC address to the IP address just received. Then change the hostname or message text of the Syslog message to reflect the MAC address that matched.
While there is definitely some scripting involved and it might be a little complex for someone just getting started, you would now have MAC Address based Syslogging.
if this the only way to track dynamic ip sources and can anyone script this for me for a fee??
I would be happy to script this even without a fee, I just don't have the time at the moment.
Also, make sure you understand, the original poster was wanting to track event logs forwarded from computers with dynamic IP addresses, I don't know that there are any good reasons to have switches or other network devices use DHCP, but this would likely not work for them.
There might also be an easier way I just thought of too...
Don't the event log messages include the hostname of the PC they are coming from? If that's the case you could just filter message text looking for hostname and avoid scripting all-together.
thanks for your speedy reply
this is pending a presale was expecting paid support to jump the gun but one can always dream..right and yes i did submit a official
support ticket days ago.
i have the exact scenario isp changes ip every 5 minutes host does not identify itself
so i get lots of unknown ips sending logs mostly end user pcs, tinkering around with facilities to id the incoming ip
just setup snort to my syslog this will help with id but nothing is k.i.s.s (keep it simple stupid)
and here i thought we are living in the 21st century.
too bad you do not have the time, will also check some contract scripting outsource services
I wouldn’t have been able to help you with this anyway, as the MAC address would not be accurate coming from outside your network. The only way using the ARP table would work is if these were PCs on your same subnet within your internal network where you are syslogging. From the sounds of it, you are referring to remote users who are connecting to your network, and at that point I’m curious exactly what you are syslogging from these users?
If it’s event logs, refer to my earlier comment about the hostname being included within the event messages, you should be able to do this with a simple rule and forget all about Mac Addresses, just use the hostname in the message text.
