MAC Vendor Enricher¶

MAC Vendor enriches event with specified vendor attributes based on their MAC address value (only first 6 characters are considered to detect the vendor).

Example¶

Declaration¶

---
define:
  name: MACVendor
  type: enricher/macvendor
  lookup: lmio_mac_vendor  # optional

attributes:
  MAC1: detectedVendor1
  MAC2: detectedVendor2
  ...

Input¶

Feb 5 10:50:01 0:0:0:0:0:ffff:1f1f:e001 %ASA-1-105043 5885E9001183

Output¶

{
    'rt': 1580899801.0,
    'MAC1': '5885E9001183',
    'detectedVendor1': 'Realme Chongqing Mobile Telecommunications Corp Ltd',
}

Section `define`¶

This section defines the name and the type of the enricher, which in the case of Mac Vendor is always enricher/macvendor.

Item `name`¶

Shorter human-readable name of this declaration.

Item `type`¶

The type of this declaration, must be enricher/macvendor.

Section `attributes`¶

Specify dictionary with event's MAC attributes to search the lookup for, such as MAC1. Inside the dictionary, mention the attribute name in the event for the detected vendor to be stored in. For example:

  MAC1:
    detectedVendor1

will search the Mac Vendor lookup for MAC stored event["MAC1"], load the vendor to event["detectedVendor1"], if successfully looked up.

Lookup files¶

MAC Vendor enricher lookup files are based on OUI standard: standards-oui.ieee.org/oui.txt

The files are stored in the default path directory (/lookups/macvendor), which can be overridden in configuration:

[lookup:lmio_mac_vendor]
path=...

lmio_mac_vendor is the provided lookup ID in the enricher definition, which defaults to lmio_mac_vendor