Github user JonZeolla commented on the issue:
https://github.com/apache/incubator-metron/pull/531
I would love to see Metron have a solution for both approaches - ingesting
DHCP server logs, as well as DHCP observations based on network traffic. Like
@ottobackwards mentioned, not everyone can get the right
infrastructure/viewpoint on their network to run something like Bro and get the
DHCP traffic to their sensors to be processed.
I have definitely sent more than just DNS and HTTP from Bro to Metron and
it has been properly ingested, but to date I haven't done DHCP. Like
@simonellistonball and @nickwallen mentioned, both the parser and the kafka
plugin are setup to handle new bro logs quite well, and a while back I worked
on updating Metron's support for more Bro sources via
[METRON-508](https://github.com/JonZeolla/incubator-metron/commit/736cc39525f9f08f6e781faea2610e893327e74c).
I just never had a chance to test it, so I haven't yet opened a PR.
Once #545 and #547 get merged into master, and I'm able to finish
[METRON-813](https://issues.apache.org/jira/browse/METRON-813), I would be
happy to work on anything related to Bro and DHCP logs at scale, including
finishing up METRON-508. I have two hardware bro environments and my larger
one currently sees about 7 million DHCP observations/day and sends ~30,000
messages per second into Metron.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
