[microsoft_dhcp] Add event.reason (long descriptions) to each event (DHCPv4) #7100
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
nicpenning
changed the title
|
/test |
|
For the commit message, can you provide a link for the messages that are below 50? Up-page of the link provided, there are some of them listed, but not the entirety. Do MS have a single canonical location for these details? |
🌐 Coverage report
|
Interestingly enough, I could not find an extensive list from Microsoft. The full list lives in the eventog itself at the beginning of each log file when they get created each day. Does that help? |
|
Thanks, Nic. Yes that will do for the commit message. I'm surprised that Microsoft don't provide adequate documentation. |
|
No problem. I tried to find it on their GitHub docs but these docs are fairly old and haven't made it to GH. If I ever do find it I will report accordingly. |
packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-log.log-expected.json
Outdated
Show resolved
Hide resolved
|
Sounds good. I appreciate your thoroughness! |
|
Anything else needed for this to be merged? |
|
I fixed the merge conflicts. Can someone please review? Thanks! |
packages/microsoft_dhcp/data_stream/log/_dev/test/pipeline/test-log.log-expected.json
Outdated
Show resolved
Hide resolved
packages/microsoft_dhcp/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml
Outdated
Show resolved
Hide resolved
|
/test |
|
Any last items on this? I think we are close. |
|
👀 - I had to bump the version again because other changes were made. Could this please be review again? Thanks! |
|
/test |
andrewkroh
added
Team:Security-External Integrations
Integration:microsoft_dhcp
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
Package microsoft_dhcp - 1.17.0 containing this change is available at https://epr.elastic.co/search?package=microsoft_dhcp |
What does this PR do?
This will add the
Meaningthat is found in the DHCPv4 logs intoevent.reasonas follows:Event ID Meaning
00 The log was started.
01 The log was stopped.
02 The log was temporarily paused due to low disk space.
10 A new IP address was leased to a client.
11 A lease was renewed by a client.
12 A lease was released by a client.
13 An IP address was found to be in use on the network.
14 A lease request could not be satisfied because the scope's address pool was exhausted.
15 A lease was denied.
16 A lease was deleted.
17 A lease was expired and DNS records for an expired leases have not been deleted.
18 A lease was expired and DNS records were deleted.
20 A BOOTP address was leased to a client.
21 A dynamic BOOTP address was leased to a client.
22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
23 A BOOTP IP address was deleted after checking to see it was not in use.
24 IP address cleanup operation has began.
25 IP address cleanup statistics.
30 DNS update request to the named DNS server.
31 DNS update failed.
32 DNS update successful.
33 Packet dropped due to NAP policy.
34 DNS update request failed.as the DNS update request queue limit exceeded.
35 DNS update request failed.
36 Packet dropped because the server is in failover standby role or the hash of the client ID does not match.
50+ Codes above 50 are used for Rogue Server Detection information.
The 50+ event code descriptions are found here: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd183591(v=ws.10)#dhcp-server-logs-server-authorization-events
Checklist
changelog.ymlfile.