Combining Data from Separate Event Logs
I recently encountered logs from a Buffalo Wireless Access Point. DHCP leases and MAC address associations generate logs like this:
AP00160114430C : WIRELESS: wl0: 11g : Associated User - 00:04:23:76:34:20
AP00160114430C udhcpd: sending ACK to 192.168.11.2
The log identifying the remote MAC address is in one line and the log identifying the remote IP address is in a second line. Most of the TASL correlation scripts for the Log Correlation Engine expect to derive MAC/IP pairs from single logs lines like those of the DHCP daemon shown below:
Mar 24 11:07:46 util04 dhcpd: DHCPREQUEST for 10.9.102.183 from 00:c0:4f:0c:27:14 via eth0
Scripts like the user_to_mac.tasl expect to parse DHCP logs that contain both the MAC address and the IP address on the same line. So how can we take the logs from the Buffalo WAP and generate something that looks like a log from a typical DHCP daemon?
The buffalo_dhcp_one_line.tasl script is a very simple TASL that subscribes to events from the accesspoint_buffalo.prm library. It "keeps state" on the last MAC address in the "Associated User" logs encountered. Those are normalized to event ID 400. When an ACK (event ID 402) or OFFER DHCP (event ID 403) log is encountered, a new log is generated that looks like this:
DHCPREQUEST for 192.168.11.2 from 00:04:23:76:34:20 via buffalo_one_line.tasl script
The MAC address is added from the MAC address seen in the last "Associated user" event. The format of this log is very similar to that of the logs generated by the regular DHCP daemon. This is readily processed by the dhcp.prm plugin library.
The two DHCP-Request events were generated by the TASL script while processing the BuffaloWAP-Associated_MAC and BuffaloWAP-DHCP_Address_ACK events.
Are You Vulnerable to the Latest Exploits?
Enter your email to receive the latest cyber exposure alerts in your inbox.