Dnsmasq
LogZilla App Store application: Dnsmasq
Overview
dnsmasq is a lightweight Linux daemon that provides DNS, DHCP, and TFTP services. The LogZilla dnsmasq app focuses specifically on parsing DHCP server operations to extract IP address assignments and hostname information.
App Function
The dnsmasq app parses assigned IP addresses and hostnames from DHCP
assignment (DHCPACK) messages, creating user tags for network asset tracking
and correlation.
Vendor Documentation
Log Source Details
| Item | Value |
|---|---|
| Vendor | Linux distributions |
| Device Type | Linux OS |
| Supported Software Version(s) | all |
| Collection Method | Syslog |
| Configurable Log Output? | no |
| Log Source Type | linux syslog |
| Exceptions | N/A |
Incoming Log Format
dnsmasq uses standard Linux syslog format. DHCP messages contain space-separated fields in the following order:
- DHCP operation - Type of DHCP transaction (e.g., DHCPACK)
- Network interface - Interface name in parentheses
- IP address - Assigned IPv4 address
- MAC address - Client hardware address
- Hostname - Client hostname (if provided)
Parsed Metadata Fields
The dnsmasq app extracts the following information from DHCP assignment messages:
Message Format:
textDHCPACK(<interface>) <IP address> <MAC address> <hostname>
Generated User Tags:
| Tag Name | Example Value | Description |
|---|---|---|
DNSmasq DHCP Assigned IP | 192.168.254.101 | IP address assigned to the client |
DNSmasq DHCP Assigned Hostname | dhcpnine | Hostname assigned to the client |
DNSmasq DHCP IP -> Hostname | 192.168.254.101 -> dhcpnine | Combined IP to hostname mapping |
Log Examples
DHCP IP Address Assignment
textDHCPACK(enp0s3) 192.168.254.101 08:00:55:66:77:88 dhcpnine