# Author: Justin Henderson
#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolutions.com
# Last Update: 12/9/2016
# This conf file is based on accepting logs for DHCP.  It is currently based on Windows DHCP only.
filter {
  if [type] == "dhcp" {
    mutate {
      add_field => { "Hostname" => "%{host}" }
    }
    mutate {
      strip => "message"
    }
	  # This is the initial parsing of the log
      grok {
        # Server 2008+
        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},%{DATA:Username},%{INT:TransactionID},%{INT:QResult},%{DATA:ProbationTime},%{DATA:CorrelationID}"}
        # Server 2003
        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},"}
        match => { "message" => "%{DATA:id},%{DATA:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{DATA:ip},%{DATA:Hostname},%{DATA:mac},"}
      }
	  # This section below translates the message ID into something humans can understand.
      if [id] == "00" {
        mutate {
          add_field => [ "event", "The log was started"]
        }
      }
      if [id] == "01" {
        mutate {
          add_field => [ "event", "The log was stopped"]
        }
      }
      if [id] == "02" {
        mutate {
          add_field => [ "event", "The log was temporarily paused due to low disk space"]
        }
      }
      if [id] == "10" {
        mutate {
          add_field => [ "event", "A new IP address was leased to a client"]
        }
      }
      if [id] == "11" {
        mutate {
          add_field => [ "event", "A lease was renewed by a client"]
        }
      }
      if [id] == "12" {
        mutate {
          add_field => [ "event", "A lease was released by a client"]
        }
      }
      if [id] == "13" {
        mutate {
          add_field => [ "event", "An IP address was found to be in use on the network"]
        }
      }
      if [id] == "14" {
        mutate {
          add_field => [ "event", "A lease request could not be satisfied because the scope's address pool was exhausted"]
        }
      }
      if [id] == "15" {
        mutate {
          add_field => [ "event", "A lease was denied"]
        }
      }
      if [id] == "16" {
        mutate {
          add_field => [ "event", "A lease was deleted"]
        }
      }
      if [id] == "17" {
        mutate {
          add_field => [ "event", "A lease was expired and DNS records for an expired leases have not been deleted"]
        }
      }
      if [id] == "18" {
        mutate {
          add_field => [ "event", "A lease was expired and DNS records were deleted"]
        }
      }
      if [id] == "20" {
        mutate {
          add_field => [ "event", "A BOOTP address was leased to a client"]
        }
      }
      if [id] == "21" {
        mutate {
          add_field => [ "event", "A dynamic BOOTP address was leased to a client"]
        }
      }
      if [id] == "22" {
        mutate {
          add_field => [ "event", "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"]
        }
      }
      if [id] == "23" {
        mutate {
          add_field => [ "event", "A BOOTP IP address was deleted after checking to see it was not in use"]
        }
      }
      if [id] == "24" {
        mutate {
          add_field => [ "event", "IP address cleanup operation has began"]
        }
      }
      if [id] == "25" {
        mutate {
          add_field => [ "event", "IP address cleanup statistics"]
        }
      }
      if [id] == "30" {
        mutate {
          add_field => [ "event", "DNS update request to the named DNS server"]
        }
      }
      if [id] == "31" {
        mutate {
          add_field => [ "event", "DNS update failed"]
        }
      }
      if [id] == "32" {
        mutate {
          add_field => [ "event", "DNS update successful"]
        }
      }
      if [id] == "33" {
        mutate {
          add_field => [ "event", "Packet dropped due to NAP policy"]
        }
      }
	  # If the message failed to parse correctly keep the message for debugging.  Otherwise, drop it.
      #if "_grokparsefailure" not in [tags] { 
      #  mutate {
      #    remove_field => [ "message"]
      #  }
      #}
  }
}