Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 469 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DHCP Syslog messages on Sophos Firewall

Sophos User622

Hi all,

I have DHCP server configured on Firewall and I would like to collect DHCP syslog messages in order to detect when some IP has been assigned to some host. However, in System services/Log Settings there is no DHCP options but rather some categories like Firewall,IPS, Antivirus, Content Filtering, Events etc.

Do DHCP syslog messages belongs to some of those categories? Where can I found and configure them?

Thank you in advance,

Nikola



This thread was automatically locked due to age.
  • 0

    Hello there,

    Thank you for contacting the Sophos Community.

    There is no a Syslog for DHCP server, but the log, where you can find info would be the csc.log and the applog.log also you can find this info on the Live Log viewer under system

    The applog would show l2dhcp_commit : x.x.x.x, mac, 0, Port number

    the csc.log would show [dhcpd_events:5040]: {"dhcpd_events":{"method":"nservice","name":"dhcpd_events:l2dhcp_commit","version":"1.2","type":"json","length":255,"data":{ "ipaddress":"xxx.xxx.xxx.xxx","mac":"xx:xx:xx:xx:03:95","loginfo":"xxx.xxx.xxx.xxx Mon 06 Jun 12:46:24 2022 Tue 07 Jun 12:46:24 2022 24:0a:64:03:03:95 hostname "interfacename":"Port8","leasetime":"86400","clienthost":"hostname","ipfamily":"0" }}}

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0

    Hi,

    please review the details in the system log in logviewer.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Thank you all for reply. Let me explain what I want to achieve. I would like to send syslog messages related to DHCP lease to Inventory Asset Management Tool which has passive network scanning feature to discover new assets on the network. It "sniffs" packets and find related information and update inventory automatically. As soon as new device is connected to the network and "ask" for an IP, it will be recognized and discovered as new asset on the network.

    So , it is not a question, can I find it in EventViewer, IPv4 lease table or in a log file but rather send that information somewhere else.

    I have added new syslog server in System services -> Log settings and select Events log type. I have got log messages on target server in format like below:

    06-07-2022    16:30:46    Daemon.Info    10.28.0.1    device="SFW" date=2022-06-07 time=16:30:46 timezone="CEST" device_name="XG330" device_id=xxxx log_id=063411660020 log_type="Event" log_component="DHCP Server" log_subtype="System" status="Renew" priority=Information ipaddress="10.28.11.5" client_physical_address="00:15:5d:0b:09:12" client_host_name="" message="Lease IP 10.28.11.5 renewed for MAC 00:15:5d:0b:09:12" raw_data="10.28.11.5   Tue 07 Jun 16:30:46 2022   Wed 08 Jun 16:30:46 2022   00:15:5d:0b:09:12   MGT-SRV010"

    However I have got field client_host_name empty, while IPv4 lease table contains Client host-name. Host name is located in RAW_DATA as well.

    Do you maybe know why client_host_name is empty in these syslog messages ?

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?