# LCE PRM LIBRARY # Copyright 2004-2014 Tenable Network Security # # This library may only be used with the LCE server and may not # be used with other products or open source projects # # NAME: # DHCP event library # # DESCRIPTION: # # These signatures look for a variety of events. They can # be used by a LCE server receiving SYLOG messages from a # DHCP Server running 'dhcpd' or from a Windows server with # a DHCP server enabled. It also processes events from the ISC's # dhclient for UNIX systems. # # For UNIX SYSLOG messages, the message must be sent via SYSLOG # to LCE or read by a LCE client. # # For Windows, the Windows LCE Client must specifically be configured # to monitor the DHCP server audit logs, which are normally contained # in multiple daily log files located in "C:\Windows\System32\dhcp". # The LCE Windows client should be configured to monitor the # entire directory and not the current log file. # # For more info on the Windows DHCP server log files see: # http://technet.microsoft.com/en-us/library/dd183591(v=ws.10).aspx # # LAST UPDATE: $Date$ id=2955 name=A DHCP request was logged by the dhcpd process. match=cp match=dhcp match=DHCPREQUEST match=ST match= DHCPREQUEST for match=!udhcpd match=!event=dhcp_request regex=DHCPREQUEST for ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) from log=type:dhcp event:DHCP-Request dstip:$1 NEXT id=2957 name=A DHCP request was logged by the dhcpd process. match=cp match=dhcp match=dhcpd: match=!udhcpd match=DHCPREQUEST match=ST match=DHCPREQUEST for regex=dhcpd: DHCPREQUEST for ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\) log=type:dhcp event:DHCP-Request srcip:$1 dstip:$2 NEXT id=2958 name=A DHCP IP address lease request was received by the udhcpd process. match=cp match=dhcp match=udhcpd match=ST match=DHCPREQUEST match=DHCPREQUEST for regex=udhcpd:.*DHCPREQUEST for ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) from ..\:..\:..\:..\:..\:.. log=type:dhcp event:DHCP-Request dstip:$1 NEXT # NOTE - 2960 starts the Microsoft firewall ID range, so we will jump to 3600 id=3600 name=The UNIX dhcpclient has not received any DHCP offers. At least one interface may not have an IP address. match=ent match=client match=dhclient: match=ce match=ed match= No DHCPOFFERS received. match=ER log=type:error event:DHCPCLIENT-No_Offers NEXT id=3601 name=The dhcpclient has no working DHCP leases. At least one interface may not have an IP address. match=ent match=client match=dhclient: match=ing match=le match= No working leases in persistent database log=type:error event:DHCPCLIENT-No_Working_Leases NEXT id=3602 name=The dhcpclient has made a cuccessful DHCP lease and now has an IP address. match=ent match=client match=dhclient match= bound to match= renewal in regex=.*bound to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) -- log=type:dhcp event:DHCPCLIENT-Address_Leased srcip:$1 NEXT id=3603 name=A DHCP request was logged by the dhcpd process. match=cp match=dhcp match=ST match=DHCPREQUEST match=msg=DHCPREQUEST for match=ent match=est match=event=dhcp_request match=event match=request regex=DHCPREQUEST for ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) from log=type:dhcp event:DHCP-Request dstip:$1 NEXT id=3604 name=DHCP has issued an error of a packet too small. This could indicate network scanning or network connectivity issues. match=cp match=dhcp match= dhcpd[ match=ack match= debugDHCP packet too small match=debug regex=.*srcIP: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dstIP: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) srcPort: ([0-9]+) dstPort: ([0-9]+) log=type:error event:DHCP-Packet_Too_Small srcip:$1 dstip:$2 srcport:$3 dstport:$4 NEXT id=3605 name=A DHCP Discover was issued. match=!no free leases match=cp match=dhcp match=rom match= dhcpd: DHCPDISCOVER from match=ER log=type:dhcp event:DHCP-Discover NEXT id=3606 name=A DHCP Offer was issued. match=cp match=dhcp match=dhcpd: DHCPOFFER on match=ER regex=DHCPOFFER on ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to log=type:dhcp event:DHCP-Offer srcip:$1 NEXT id=3607 name=A DHCP inform was issued. match=cp match=dhcp match=rom match=dhcpd: DHCPINFORM from match=IN match=FO regex=DHCPINFORM from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-Inform srcip:$1 dstip:$2 NEXT id=3608 name=A DHCP ACK was issued to, on or from an IP. match=dhc match=DHCPACK regex=DHCPACK .* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-Ack dstip:$1 NEXT id=3609 name=A DHCP has added a reverse map. match=cp match=dhcp match=rom match=ed match=dhcpd: added reverse map from regex= dhcpd: added reverse map from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-Reverse_Map_Added srcip:$1 NEXT id=3610 name=A DHCP lease is a duplicate. match=cp match=dhcp match=le match=dhcpd: uid lease match=ent match=for client match=ate match=is duplicate on regex= dhcpd: uid lease ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*is duplicate on log=type:dhcp event:DHCP-Lease_Duplicate srcip:$1 NEXT id=3611 name=A DHCP request is unable to add reverse map and timed out. match=cp match=dhcp match=rom match=le match=dhcpd: unable to add reverse map from match=ed match=timed out regex= dhcpd: unable to add reverse map from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\..*timed out log=type:error event:DHCP-Timed_Out srcip:$1 NEXT id=3612 name=A DHCP BOOTREQUEST from a dynamic client and no dynamic leases. match=cp match=dhcp match=OT match=OOT match=TR match=ST match=rom match=dhcpd: BOOTREQUEST from match=ent match=TP match=le match=BOOTP from dynamic client and no dynamic leases match=an log=type:dhcp event:DHCP-BOOTREQUEST #NEXT #id=3613 #name=A DHCP ACK was issued on an IP. #example=<190>Aug 2 07:42:32 dcns1 dhcpd: DHCPACK on 172.30.1.239 to 00:22:68:3c:82:3d (nyin2-win7) via eth0 #match=cp #match=dhcp #match=dhcpd: DHCPACK on #regex=dhcpd: DHCPACK on ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to #log=type:dhcp event:DHCP-ACK srcip:$1 NEXT id=3614 name=A DHCP has forwarded a map and has failed, it has an A record but no DHCID. match=cp match=dhcp match=rom match=ar match=dhcpd: Forward map from match=FAILED: Has an A record but no DHCID, not mine match=an regex=dhcpd: .* to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) FAILED: Has an A record but no DHCID log=type:error event:DHCP-No_DHCID srcip:$1 NEXT id=3615 name=The Windows DHCP server is nearing a limit of available IP address leases. match=percent full with only match=IP addresses remaining. match=,1020, match=arn match=address match=System match=ar match=tem match=in match=ystem match=ce match=IP match=rem match=,Warning, match=System, match=ent match=Warning match=ing match=,Warning match=ss regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:error event:DHCP-Leases_Running_Out sensor:$1 srcip:$2 event2:WindowsEvent-1020 NEXT id=3616 name=A DHCP inform was issued. match=cp match=dhcp match=rom match=dhcpd: DHCPINFORM from match=IN match=FO regex=DHCPINFORM from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) via log=type:dhcp event:DHCP-Inform srcip:$1 NEXT id=3617 name=A DHCP has dynamic and static leases present. match=cp match=dhcp match=dhcpd: Dynamic and static match=at match=sta regex=Dynamic and static leases present for ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-Leases_Present srcip:$1 NEXT id=3618 name=DHCP has successfully assigned an address from the network to your computer. match=cp match=hcp match=was match=success match=successful match=successfully match=ss match=ass match=an match=address match=add match= network match=net match=work match=Your computer was successfully assigned an address from the network regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-Address_Assigned sensor:$1 srcip:$2 event2:WindowsEvent-1103 NEXT id=3619 name=DHCP has been unable to renew your computers address from the network. match=cp match=hcp match=was match=to match=no match=address match= network match=net match=work match=Your computer was not able to renew its address from the network regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-Unable_To_Renew_Address sensor:$1 srcip:$2 event2:WindowsEvent-1003 NEXT id=3620 name=DHCP has failed to see a directory server for authorization. match=rr match=Error match=service match=failed match=to match=server match=Server match=auth match=DHCP match=DHCP service failed to see a directory server for authorization regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-Failed_To_See_Directory sensor:$1 srcip:$2 event2:WindowsEvent-1059 NEXT id=3621 name=DHCP has no IP addresses available for lease in the scope. match=in match=ss match=ai match=se match=IP match=Server match=ing match=Warning match=er match=,There are no IP addresses available regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-No_Addresses_Available sensor:$1 srcip:$2 event2:WindowsEvent-1063 NEXT id=3622 name=A DHCP request was logged by the dhcpd process. match=dhc match=DHCPREQUEST match=ST match= DHCPREQUEST match=on match=!udhcpd match=!event=dhcp_request regex=DHCPREQUEST on.* to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) port log=type:dhcp event:DHCP-Request dstip:$1 NEXT id=3623 name=The version of dhclient has been logged. match=dhc match=dhclient match=In match=rn match=Co match=ort match=DHCP match=Client regex= ([a-zA-Z0-9._-]+) dhclient.*DHCP Client .* log=type:dhcp event:DHCPCLIENT-version sensor:$1 NEXT id=3624 name=A DHCP release was logged by the dhcpd process. match=dhc match=DHCPRELEASE match=SE match= DHCPRELEASE match=of match=!udhcpd match=!event=dhcp_request regex=DHCPRELEASE of ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) from log=type:dhcp event:DHCP-Release srcip:$1 NEXT id=3625 name=A DHCP has added a forward map. match=cp match=dhcp match=rom match=ed match=dhcpd: Added new forward map from match=dd match=for match=rd match=ew regex= dhcpd: Added new forward map from ([a-zA-Z0-9._-]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-Forward_Map_Added srcip:$1 dstip:$2 NEXT id=3626 name=A DHCP has been unable to add reverse map, connection refused. match=cp match=dhcp match=rom match=ed match=dhcpd: unable to add reverse map from match=dd match=rev match=se match=un match=connection refused regex= dhcpd: unable to add reverse map from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* to ([a-zA-Z0-9._-]+) log=type:dhcp event:DHCP-Reverse_Map_Unable_To_Add srcip:$1 dstip:$2 NEXT id=3627 name=A DHCP has removed a reverse map. match=cp match=dhcp match=ed match=dhcpd: removed reverse map on match=re match=mo match=se match=rev match=ma match=on regex= dhcpd: removed reverse map on ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-Reverse_Map_Removed srcip:$1 NEXT id=3628 name=A DHCP rrset doesn't exist then delete. match=cp match=dhcp match=rr match=et match=dhcpd: if match=rrset doesn't exist delete match=do match=ex match=st match=de match=le match=te match=cc match=ss log=type:dhcp event:DHCP-Delete_IN_TXT_Success NEXT id=3629 name=A DHCP delete IN A success. match=cp match=dhcp match=dhcpd: if match=rrset exists delete match=rr match=st match=ex match=st match=de match=te match=cc match=ss regex= dhcpd: if.* IN A ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* IN A ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-Deleted_IN_A_Success srcip:$1 dstip:$2 NEXT id=3630 name=A DHCP delete IN A but no such RRset. match=cp match=dhcp match=dhcpd: if match=rrset exists delete match=rr match=st match=ex match=st match=de match=te match=no such RRset match=RR match=no match=su match=set regex= dhcpd: if.* IN A ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* IN A ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-Deleted_IN_A_No_RRest srcip:$1 dstip:$2 NEXT id=3631 name=A DHCP wrote a number of leases to the leases file. match=cp match=dhcp match=dhcpd: match=dhcpd: Wrote match=leases to leases file match=Wr match=te match=ea match=le match=ses match=to match=fi match=le log=type:dhcp event:DHCP-Wrote_Leases_To_File NEXT id=3632 name=A DHCP non-null pointer. match=cp match=dhcp match=dhcpd: match=non-null pointer match=ll match=nu match=no match=on match=po match=in match=ter log=type:dhcp event:DHCP-Non_Null_Pointer NEXT id=3633 name=A DHCP Discover was issued with no free leases. match=no free leases match=cp match=dhcp match=rom match= dhcpd: DHCPDISCOVER from match=ER log=type:dhcp event:DHCP-Discover_No_Free_Leases NEXT id=3634 name=A DHCP was unable to add a forward map. match=cp match=dhcp match=rom match=Un match=dhcpd: Unable to add forward map match=dd match=for match=rd match=map regex= dhcpd: Unable to add forward map from.* ([a-zA-Z0-9._-]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-Unable_To_Add_Forward_Map srcip:$1 dstip:$2 NEXT id=3635 name=A DHCP DHCPNAK. match=cp match=dhcp match=on match=DHCPNAK match=via match=DH match=CP match=NAK match=ia regex=DHCPNAK on ([a-zA-Z0-9._-]+).* via ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-DHCPNAK srcip:$1 dstip:$2 ############################## # WINDOWS DHCP AUDIT LOG # ############################## NEXT id=3636 name=A Windows DHCP Server log has started. match=ta match=tart match=art match=te match=tar match=ed match=Start match=rt match=Started regex=^00,[0-9/]+,[0-9:]+,Started, log=type:system event:DHCP-Log_Start_Windows NEXT id=3637 name=A Windows DHCP Server log has stopped. match=p match=ed match=Sto match=pp match=topp match=to match=St match=op regex=^01,[0-9/]+,[0-9:]+,Stopped, log=type:system event:DHCP-Log_Stop_Windows # NEXT # # id=3638 # name=A Windows DHCP Server log has temporarily paused due to low disk space. # example=02,NEED SAMPLE # match= # log=type:system event:DHCP-Log_Pause_Windows NEXT id=2956 name=A Windows DHCP Server logged a DHCP request. match=Assi match=ig match=ss match=si regex=^10,[0-9/]+,[0-9:]+,Assign,([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:dhcp event:DHCP-Request_Windows dstip:$1 # NEXT # # id=3639 # name=A Windows DHCP Server logged a DHCP renew. # example=11,NEED SAMPLE # match= # log=type:dhcp event:DHCP-Renew_Windows NEXT id=3640 name=A Windows DHCP Server logged a DHCP release. match=eleas match=as match=se match=eas match=ea match=le match=Re match=el regex=^12,[0-9/]+,[0-9:]+,Release,([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:dhcp event:DHCP-Release_Windows dstip:$1 # NEXT # # id=3641 # name=A Windows DHCP Server found an IP address in use on the network. # example=13,NEED SAMPLE # match= # log=type:dhcp event:DHCP-Leases_Present_Windows # NEXT # # id=3642 # name=A Windows DHCP Server DHCP request failed. The address pool of the scope was Exhausted. # example=14,NEED SAMPLE # match= # log=type:dhcp event:DHCP-Addresses_Scope_Exhausted_Windows # NEXT # # id=3643 # name=A Windows DHCP Server denied a DHCP request. # example=15,NEED SAMPLE # match= # log=type:dhcp event:DHCP-Lease_Denied_Windows # NEXT # # id=3644 # name=A Windows DHCP Server BOOTP address was leased to a client. # example=20,NEED SAMPLE # match= # log=type:dhcp event:DHCP-BOOTREQUEST_Windows # NEXT # # id=3645 # name=A Windows DHCP Server dynamic BOOTP address was leased to a client. # example=21,NEED SAMPLE # match= # log=type:dhcp event:DHCP-Dynamic_BOOTREQUEST_Windows # NEXT # # id=3646 # name=A Windows DHCP Server BOOTP request could not be satisfied. The scope's address pool for BOOTP was exhausted. # example=22,NEED SAMPLE # match= # log=type:dhcp event:DHCP-BOOTREQUEST_Failed_Windows # NEXT # # id=3647 # name=A Windows DHCP Server BOOTP IP address was deleted after checking to see it was not in use. # example=23,NEED SAMPLE # match= # log=type:dhcp event:DHCP-BOOT_Unused_Address_Deleted_Windows NEXT id=3648 name=A Windows DHCP Server IP address cleanup operation has begun. match=tab match=an match=as match=ba match=ea match=up match=le match=Cl match=in match=leanup match=Data match=atabase regex=^24,[0-9/]+,[0-9:]+,Database Cleanup Begin, log=type:dhcp event:DHCP-Address_Cleanup_Windows NEXT id=3649 name=Windows DHCP Server IP address cleanup statistics. match=ea match=del match=es match=deleted match=de match=and match=xp match=el match=delete match=ex match=red match=ire regex=^25,[0-9/]+,[0-9:]+,\d+ leases expired and \d+ leases deleted, log=type:dhcp event:DHCP-Address_Cleanup_Windows NEXT id=3650 name=A Windows DHCP Server DNS dynamic update request. match=qu match=pda match=at match=es match=Request match=Up match=NS match=que match=Update match=Re match=DNS match=date regex=^30,[0-9/]+,[0-9:]+,DNS Update Request,([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:dns event:DHCP-DNS_Update_Request_Windows dstip:$1 NEXT id=3651 name=A Windows DHCP Server DNS dynamic update failed. match=pda match=da match=at match=Up match=NS match=Update match=ed match=Fa match=Fail match=Failed match=DNS match=date regex=^31,[0-9/]+,[0-9:]+,DNS Update Failed,([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:dns event:DHCP-DNS_Update_Fail_Windows dstip:$1 NEXT id=3652 name=A Windows DHCP Server DNS dynamic update was successful. match=ul match=pda match=da match=at match=Up match=NS match=cc match=Update match=ss match=DNS match=date match=Success regex=^32,[0-9/]+,[0-9:]+,DNS Update Successful,([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:dns event:DHCP-DNS_Update_Success_Windows dstip:$1 NEXT id=3653 name=A Windows DHCP Server could not locate the applicable domain for its configured Active Directory installation. match=om match=ha match=le match=Un match=re match=Do match=omain match=in match=ch match=ma match=able match=bl regex=^50,[0-9/]+,[0-9:]+,Unreachable Domain, log=type:error event:DHCP-Unreachable_Domain_Windows # NEXT # # id=3654 # name=A Windows DHCP Server authorization succeeded. The DHCP server was authorized to start on the network. # example=51,NEED SAMPLE # match= # log=type:system event:DHCP-Auth_Success_Windows # NEXT # # id=3655 # name=A Windows DHCP Server unauthorized DHCP server detection feature is disabled due to a recent OS upgrade. # example=52,NEED SAMPLE # match= # log=type:system event:DHCP-Unathorized_Detection_Disabled_Windows # NEXT # # id=3656 # name=A Windows DHCP Server was authorized to start using previously cached information. # example=53,NEED SAMPLE # match= # log=type:system event:DHCP-Auth_Success_Cache_Windows # NEXT # # id=3657 # name=A Windows DHCP Server was not authorized to start on the network. # example=54,NEED SAMPLE # match= # log=type:error event:DHCP-Auth_Failed_Windows NEXT id=3658 name=A Windows DHCP Server was successfully authorized to start on the network. match=ho match=uth match=ize match=ing match=ed match=or match=in match=Auth match=vi match=zed match=er match=Authorized regex=^55,[0-9/]+,[0-9:]+,Authorized\(servicing\), log=type:system event:DHCP-Auth_Servicing_Windows NEXT id=3659 name=A Windows DHCP Server was not authorized to start on the network and was shut down by the operating system. match=at match=on match=ing match=ed match=pp match=or match=in match=Auth match=vi match=stop match=to match=fail regex=^56,[0-9/]+,[0-9:]+,Authorization failure, stopped servicing, log=type:error event:DHCP-Auth_Failed_Windows # NEXT # # id=3660 # name=A second Windows DHCP Server exists and is authorized for service in the same domain. # example=57,NEED SAMPLE # match= # log=type:system event:DHCP-Server_Found_In_Domain_Windows # NEXT # # id=3661 # name=A Windows DHCP Server could not locate the specified domain. # example=58,NEED SAMPLE # match= # log=type:error event:DHCP-Server_Not_Found_In_Domain_Windows # NEXT # # id=3662 # name=A Windows DHCP Server encountered an error. A network-related failure prevented the server from determining if it is authorized. # example=59,NEED SAMPLE # match= # log=type:error event:DHCP-Auth_Unknown_Windows NEXT id=3663 name=A Windows DHCP Server was unable to locate a valid domain controller. A domain controller enabled for AD�DS is required. match=No match=abled match=le match=ed match=led match=nable match=na match=is match=En match=DC match=is match=able regex=^60,[0-9/]+,[0-9:]+,No DC is DS Enabled, log=type:error event:DHCP-No_DC_DS_Enabled_Windows # NEXT # # id=3664 # name=A Windows DHCP Server detected another DHCP server found on the network. # example=61,NEED SAMPLE # example=62,NEED SAMPLE # match= # log=type:error event:DHCP-Another_Server_Found_Windows NEXT id=3665 name=A Windows DHCP Server is restarting rogue detection. The DHCP server is trying once more to determine whether it is authorized to start and provide service on the network. match=rogue match=on match=rt match=tion match=tect match=ro match=ing match=in match=start match=detection match=st match=ion regex=^63,[0-9/]+,[0-9:]+,Restarting rogue detection, log=type:system event:DHCP-Restarting_Rogue_Detection_Windows NEXT id=3666 name=A Windows DHCP Server message means the scope in question is running in failover mode on two or more WS DHCP servers. match=Packet dropped because of Client ID hash mismatch or standby server match=Pa match=pp match=dr match=be match=Cl match=ha match=mis match=se match=ver regex=Packet dropped because of Client ID hash mismatch or standby server.,([0-9\.0-9\.0-9\.0-9]+) log=type:dhcp event:DHCP-Packet_Dropped srcip:$1 NEXT id=3667 name=A Windows DHCP Server renew request. match=,Renew, match=,R match=Re match=ew match=w, regex=Renew,([0-9\.0-9\.0-9\.0-9]+) log=type:dhcp event:DHCP-Renew_Request srcip:$1 NEXT id=3668 name=The Windows DHCP service on the local machine has been authorized to start. match=Microsoft-Windows-DHCP-Server match=,Information, match=,1044, match=client match=System, match=IP match=DH match=CP match=Admin match=Server match=Windows match=local match=auth match=zed match=start match=DHCP regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-DHCP_Start_Authorized sensor:$1 srcip:$2 event2:WindowsEvent-1044 NEXT id=3669 name=The Windows DHCP service address range scope on the local machine is out of IP addresses. match=Microsoft-Windows-DHCP-Server match=,Warning, match=,1342, match=nge match=System, match=IP match=DH match=CP match=IP address range of scope match=Server match=Windows match=co match=op match=out match=DHCP regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:error event:DHCP-Scope_Out_Of_Addresses sensor:$1 srcip:$2 event2:WindowsEvent-1342 NEXT id=3670 name=The Windows DHCP service on the local machine has has at least one dynamically assigned IPv6 address. Only static IPv6 addresses should be used for reliable operation. match=Microsoft-Windows-DHCP-Server match=,Warning, match=,10020, match=computer match=System, match=IP match=DH match=CP match=address match=Server match=Windows match=IPv6 match=operation match=has match=DHCP regex=([a-zA-Z0-9._-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DHCP-Dynamic_IPv6_Detected sensor:$1 srcip:$2 event2:WindowsEvent-10020