I am currently running Kiwi Syslog 8.3.52
I am logging some edge switches deployed that do not perform DHCP snooping, however the distribution layer switch they connect to does. I am able to have the distribution switch snoop for DHCP replies from untrusted ports (link to access layer) and generate a syslog message, like this:
005904: Mar 1 17:38:13.216: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPOFFER, MAC sa: 0800.27dd.71b8
I have these sent to my Kiwi syslog server and can filter on message text to log offenders, but that will require active checking of the logs or waiting for clients to call indicating they are getting a bogus DHCP address if a rogue server is running in an edge location.
I was wondering if it is possible to somehow extract the MAC address listed after the MAC sa: string and if so pass that as well as the IP address of the sending distribution switch to a file in which I can reference in a script to SSH to the edge and run a port shutdown or da MAC filter.
Any thoughts would be appreciated, thanks.
Rob