topic Re: [RESOLVED] Forwarder stops at midnight on Windows 2012R2 DHCP server log in Getting Data In https://community.splunk.com/t5/Getting-Data-In/RESOLVED-Forwarder-stops-at-midnight-on-Windows-2012R2-DHCP/m-p/127979#M26284 <P>Well, my monitor stanza actually did work.</P> <P>I guess I wasn't patient enough after I put in "<STRONG>alwaysOpenFile = 1</STRONG>", which I believe is what made Splunk deal with the log file rotation correctly, in combination with "<STRONG>initCrcLength = 2000</STRONG>".</P> <P>I don't believe that "*<EM>crcSalt = *</EM>" is needed in this case but I am not going to change the stanza at this point as that does no harm either.</P> Thu, 12 Feb 2015 13:29:03 GMT ww9rivers 2015-02-12T13:29:03Z [RESOLVED] Forwarder stops at midnight on Windows 2012R2 DHCP server log https://community.splunk.com/t5/Getting-Data-In/RESOLVED-Forwarder-stops-at-midnight-on-Windows-2012R2-DHCP/m-p/127978#M26283 <P>I have Splunk Universal Forwarders on 4 Windows 2012R2 servers, monitoring the DHCP server logs with this stanza:</P> <PRE><CODE>[monitor://Z:\dhcp\logs] disabled = 0 sourcetype = DhcpSrvLog whitelist = DhcpSrvLog* crcSalt = &lt;SOURCE&gt; initCrcLength = 2000 </CODE></PRE> <P>That works when I started the forwarder. But I found that the forwarder stopped sending new logs to my indexers at midnight sharp, which I don't know if it has something to do with the fact that the log for today has a timestamp of midnight yesterday:</P> <PRE><CODE>Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 2/4/2015 12:00 AM 146695986 DhcpSrvLog-Tue.log -a--- 2/4/2015 12:00 AM 138881102 DhcpSrvLog-Wed.log </CODE></PRE> <P>At that point, I added an "alwaysOpenFile = 1" item in the stanza to see if that solves the problem. But I came in this morning to find that it had changed nothing whatsoever.</P> <P>Soooo, what else can I do to handle this Microsoft beast?</P> <P><STRONG>[Edit]</STRONG>: Not sure if (or how) this could be a factor: The folder in the monitor stanza "Z:/dhcp/logs" is a Windows symbolic link to a folder "E:/dhcp/logs_&lt;<EM>HOSTNAME</EM>&gt;" -- those forward slashes (/) are replacement of back slashes in Windows, of course.</P> Thu, 05 Feb 2015 14:34:02 GMT https://community.splunk.com/t5/Getting-Data-In/RESOLVED-Forwarder-stops-at-midnight-on-Windows-2012R2-DHCP/m-p/127978#M26283 ww9rivers 2015-02-05T14:34:02Z Re: [RESOLVED] Forwarder stops at midnight on Windows 2012R2 DHCP server log https://community.splunk.com/t5/Getting-Data-In/RESOLVED-Forwarder-stops-at-midnight-on-Windows-2012R2-DHCP/m-p/127979#M26284 <P>Well, my monitor stanza actually did work.</P> <P>I guess I wasn't patient enough after I put in "<STRONG>alwaysOpenFile = 1</STRONG>", which I believe is what made Splunk deal with the log file rotation correctly, in combination with "<STRONG>initCrcLength = 2000</STRONG>".</P> <P>I don't believe that "*<EM>crcSalt = *</EM>" is needed in this case but I am not going to change the stanza at this point as that does no harm either.</P> Thu, 12 Feb 2015 13:29:03 GMT https://community.splunk.com/t5/Getting-Data-In/RESOLVED-Forwarder-stops-at-midnight-on-Windows-2012R2-DHCP/m-p/127979#M26284 ww9rivers 2015-02-12T13:29:03Z