Skip to content

EfficientIP DDI

EfficientIP DDI


DDI is a collective reference term that covers domain name system (DNS), dynamic host configuration protocol (DHCP), and IP address management (IPAM). DDI in networking is short for DNS-DHCP-IPAM. DNS assures the association of hostnames and IP addresses. It enables access routing to almost all applications and services to keep HTTP web traffic and network traffic flowing. DHCP provides dynamic IP address assignment for nodes logging into the network, together with configuration capability automatically inherited from the address plan tree. IPAM supports these critical technologies by enabling efficient management of IP addresses across the network. Together they make up DDI.

Product Details

Vendor URL: EfficientIP DDI

Product Type: DDI

Product Tier: Tier I

Integration Method: Syslog

Integration URL: N/A

Log Guide: N/A

Parser Details

Log Format: Syslog

Expected Normalization Rate: near 99%


UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
mechanism extensions.auth.mechanism
"MACHINE" extensions.auth.type
additional.dest.dvchost, device, dvc, inter_host, relayHostnam intermediary.hostname
additional.dest.dvc_ip, dvc, inter_host, relayIp intermediary.ip
data, description, type metadata.description
See "Product Event Types" section metadata.event_type
eventType metadata.product_event_type
"DDI" metadata.product_name
"EfficientIP" metadata.vendor_name
application_protocol, "DHCP", "SSH" network.application_protocol
"1" network.dns.questions.class
query_type network.dns.questions.type
flags network.dns.recursion_desired
resp_code network.dns.response_code
"UDP", "TCP", protocol network.ip_protocol
received_bytes network.received_bytes
sent_bytes network.sent_bytes
sessionId network.session_id
application principal.application
srcHostname, dvc principal.asset.hostname
device, t_host principal.hostname
ciaddr, src_ip principal.ip
chaddr principal.mac
"LINUX" principal.platform
src_port principal.port
command, comm principal.process.command_line
additional.PWD, name principal.process.file.full_path
pid principal.process.file.full_path
userId, "root", username, principalUser, acct principal.user.userid
exe security_result.about.process.file.full_path
uid security_result.about.user.userid
"ALLOW", "BLOCK", action, outcome security_result.action
desc, action, reason security_result.description
log_level security_result.severity
outcome, desc, action, hashing_algo, proto security_result.summary
src_host src.hostname
process, target.application
filepath, pwd target.file.full_path
t_host, targetHostname, dvc, node target.hostname
response_ip, ciaddr, targetIp, dvc, dstIp, target.ip
response_port, targetPort, dstPort, target.port
additional.COMMAND, command, process, target.process.command_line
additional.TTY, additional.file_name, dev target.process.file.full_path
additional.dest_process_id, pid,
_ResourceId, instance_id, json_data.resource.labels.instance_id
"VIRTUAL_MACHINE" target.resource.resource_type
additional.duser, username, target.user.userid

Product Event Types

Description metadata.event_type
Default and failover if missing DHCP/DNS fields GENERIC_EVENT
If log is DHCP event NETWORK_DHCP
If log doesn't match known filters NETWORK_UNCATEGORIZED

Log Sample

<30>Jan 31 01:23:45 intermediary1 dhcpd[62794]: DHCPREQUEST for from a1:b2:c3:d4:e5:f6 via

Sample Parsing

metadata.event_timestamp.seconds = 1643592225
metadata.event_type = NETWORK_DHCP
metadata.product_name = "Linux DHCP" = "62794"
principal.ip = ""
principal.application = "dhcpd"
intermediary.hostname = "intermediary1"
network.direction = INBOUND
network.ip_protocol = UDP
network.application_protocol = DHCP
network.dhcp.ciaddr = ""
network.dhcp.giaddr = ""
network.dhcp.chaddr = "a1:b2:c3:d4:e5:f6"
network.dhcp.type = REQUEST

Parser Alerting

This product currently does not have any Parser-based Alerting


Coming Soon