topic Re: How to get DHCP scope information in DHCP logs into Splunk? in Getting Data In

How to get DHCP scope information in DHCP logs into Splunk?

kiran331 — Thu, 25 Aug 2016 19:51:47 GMT

How can I get the DHCP scope information in DHCP logs, or is there way to get that information into Splunk and correlate?

Re: How to get DHCP scope information in DHCP logs into Splunk?

christian_clout — Fri, 26 Aug 2016 00:50:55 GMT

Hi,

I had the same question and ended up creating and using a custom TA for our Windows 2008 R2 based DHCP servers.

It's rather simple. It's a scripted input which runs on those DHCP host via their universal forwarder and performs:

netsh dhcp server show mibinfo

This shows all scopes, number of addresses in use/free and pending offers for the DHCP server which I then index in Splunk.

Re: How to get DHCP scope information in DHCP logs into Splunk?

kiran331 — Fri, 26 Aug 2016 14:35:30 GMT

Thanks for response! I tried this one, It is not showing the Scope names, Do you know how to get the scope names? It showing sub nets and use/free..

Re: How to get DHCP scope information in DHCP logs into Splunk?

christian_clout — Fri, 26 Aug 2016 15:18:28 GMT

Hi Kiran331,

The information is little all over the place, at least in my case. 🙂

I get mine from Active Directory and then correlate them together.

So for example, from the output of netsh dhcp server show mibinfo:

Subnet = 10.11.12.0.
        No. of Addresses in use = 0.
        No. of free Addresses = 1.
        No. of pending offers = 0.

And the following from my Active Directory entries for subnets (Base DN="CN=Subnets,CN=Sites,CN=Configuration,DC=your,DC=company,DC=com", Filter="(&(objectClass=subnet))"):

siteObject,name,description
"MY_SITE_CODE","10.11.12.0/24","My Company Site ABC Scope"

Note: You can use SA-LDAPSearch to query your Active Directory or a custom script (I use perl).

Then you should be able to get the scope IP range, the site (or whatever) it belongs to and a nice description for it.