topic Re: Windows DHCP Logs in Getting Data In

Windows DHCP Logs

Justin — Wed, 12 May 2010 05:18:59 GMT

I am having trouble getting a Splunk forwarder (4.1.2) to send Windows 2008 R2 DHCP logs back to the main Splunk indexer (4.1.2). When I first setup the forwarder to monitor the DHCP log directory, everything was working fine. Now it appears that the forwarder does not think there are any new log events to transmit. Something unique with these logs is that they have names like DhcpSrvLog-Mon.log and DhcpSrvLog-Sat.log. The logs get overwritten on a weekly basis. Should Splunk be able to detect that log names are getting reused or do I need to configure an additional setting somewhere?

Note: All other logs being captured by the forwarder are transmitting correctly.

Re: Windows DHCP Logs

gkanapathy — Wed, 12 May 2010 10:38:31 GMT

Do these files happen to have a large identical header at the beginning? Or, are the files possibly written in Unicode/UTF-16 (and Splunk is failing to detect that)?

Re: Windows DHCP Logs

Justin — Thu, 13 May 2010 00:00:33 GMT

The log files do have large headers. The header is 31 lines, and the 32nd line is when new log events appear. Is there a conf file setting I need to accommodate this? If so, does this need to be done on the forwarder or indexer?

I am not sure how to determine if the file has Unicode. Is there an easy way to check this?

Re: Windows DHCP Logs

Justin — Sat, 05 Jun 2010 01:41:25 GMT

I contacted Splunk Enterprise support and they pointed me to a solution. On the Splunk forwarder system (the one with the DHCP logs), I had to add an entry to inputs.conf in /etc/system/local/.

[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = <SOURCE>
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+\.log

The key was the "crcSalt" entry. I hope this helps others.

Re: Windows DHCP Logs

mgaleti — Thu, 10 Nov 2011 19:38:55 GMT

Solved my problem !

Re: Windows DHCP Logs

mcronkrite — Sat, 07 Mar 2015 20:06:01 GMT

I think you have to add more slashes to get this working.

[monitor://C:\Windows\System32\dhcp]

With the (“\”s added.

Re: Windows DHCP Logs

koolvasco — Mon, 27 Nov 2017 10:49:53 GMT

crcSalt =
Did it mean is to be replaced with DHCP Servers IP?

Re: Windows DHCP Logs

vgollapudi — Tue, 22 May 2018 23:39:47 GMT

Look at this documentation Link:

https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Inputsconf

If set to the literal string (including the angle brackets), the full directory path to the source file is added to the CRC. This ensures that each file being monitored has a unique CRC. When crcSalt is invoked, it is usually set to .