I am currently running Kiwi Syslog 8.3.52
I am logging some edge switches deployed that do not perform DHCP snooping, however the distribution layer switch they connect to does. I am able to have the distribution switch snoop for DHCP replies from untrusted ports (link to access layer) and generate a syslog message, like this:
005904: Mar 1 17:38:13.216: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPOFFER, MAC sa: 0800.27dd.71b8
I have these sent to my Kiwi syslog server and can filter on message text to log offenders, but that will require active checking of the logs or waiting for clients to call indicating they are getting a bogus DHCP address if a rogue server is running in an edge location.
I was wondering if it is possible to somehow extract the MAC address listed after the MAC sa: string and if so pass that as well as the IP address of the sending distribution switch to a file in which I can reference in a script to SSH to the edge and run a port shutdown or da MAC filter.
Any thoughts would be appreciated, thanks.
You will need to create a script to extract the data to the variables you
want. The text parsing could be a simple vbscript using the split function
on ":". The sending host IP would be an existing Kiwi message variable(I'd
have to look it up but it;s in the script docs). Getting it to the SSH
script will depend on how you manage that.
On Thu, Mar 21, 2013 at 2:23 PM, rhutter <
OK, looks like Fields.VarPeerAddress is for the sending host, so I'll look into the split function and see if I can get both values to a file I can then reference in what will call the SSH program and run the necessary commands.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.