All Apps and Add-ons

How do you enable DHCP logging through the Deployment Server?

jmartelon
New Member

I am trying to enable DHCP logging through our deployment server. We use the Splunk_TA_Windows app.

Our directory is /opt/splunk/etc/deployment-apps/Splunk_TA_windows/local

And the DHCP settings in the inputs.conf file are here:

On our search head using index=windows, we cannot see DHCPSrvLog as a sourcetype...

inputs.conf:

DHCP

[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt =
sourcetype = DhcpSrvLog
index = windows <<<<<< should this be changed to wineventlog? This is set to windows as default.

0 Karma
1 Solution

nickhills
Ultra Champion

At first glance, your input looks correct, however is DHCP logging enabled on the server (its not by default)?

https://technet.microsoft.com/en-us/library/dd183684(v=ws.10).aspx

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

At first glance, your input looks correct, however is DHCP logging enabled on the server (its not by default)?

https://technet.microsoft.com/en-us/library/dd183684(v=ws.10).aspx

If my comment helps, please give it a thumbs up!
0 Karma

jmartelon
New Member

Yes, it is enabled on all of our production servers in our environment. But even if it was not, we should still be able to see the sourcetype when making a search?

0 Karma

nickhills
Ultra Champion

Only if it has collected the log files.
A sourcetype won't exist unless there is data for it.

Some questions:
Who does the splunk forwarder run as - local System or another user?
What do you see if you run index=_internal sourcetype=splunkd series=DhcpSrvLog
have you tried searching and specifying the index: index=windows sourcetype=DhcpSrvLog

On the question about indexes - even if the index name was wrong, you would see events in main (which is where they end up by default)

If my comment helps, please give it a thumbs up!
0 Karma

jmartelon
New Member

Running index=_internal sourcetype=splunkd series=DhcpSrvLog shows no results.
But it does show results without the "series" parameter.

The SplunkForwarding Service is running as system.

I have also ran index=windows sourcetype=DhcpSrvLog with no results.

In the inputs.conf file, I have changed the DHCP stanza to index=wineventlog, and ran the new index search with no results.

I have since changed it back to default to run the index=windows again

0 Karma

coltwanger
Contributor

Do you have an index named "windows" or "wineventlog"?

0 Karma

jmartelon
New Member

Per the conf files, we do have windows, but running an index=windows search no results come back.

I did change the DHCP index to wineventlog, and still when running a search, DhcpSrvLog shows no results.

0 Karma

coltwanger
Contributor

Just to clarify -- in your indexes.conf you have a windows index and a wineventlog index specified? To me, it sounds like the forwarder is reporting to _internal fine as you mention seeing data in that index, but it sounds like there's nothing reporting to windows/wineventlog because that index is not correctly configured.

I would consider setting a value for lastChanceIndex in indexes.conf (maybe use 'main', or create a new index for this). That way if you have data that's trying to write to an index that doesn't exist, you can check your lastchance index for the data to validate.

0 Karma

jmartelon
New Member

Thank you, I appreciate the suggestion!

Just one minor detail, I do see events when doing an index=wineventlog search.

But specifically no results for DHCP.

0 Karma

coltwanger
Contributor

Then I suppose the only thing left to do is to validate you're receiving DHCP logs on that server :). Take a look at that server's Event Viewer and see if it is populating the DHCP log.

0 Karma

nickhills
Ultra Champion

Ok, seems like the forwarders are not sending data then. What were the other events you saw omitting series?

After you have made your changes in the inputs file are you reloading the ds?

/opt/splunk/bin/splunk reload deploy-server

Does the forwarder management console show the application as installed?

If my comment helps, please give it a thumbs up!
0 Karma

jmartelon
New Member

I am reloading the deployment server after every edit to the conf file.

And yes, it sure does. As far as running the series command series= there is no data. I apologize about that.

0 Karma

nickhills
Ultra Champion

Can you check on one of your UF clients - look in

c:\program file\splunk universal lforwarder\etc\apps\Splunk_TA_Windows\local\inputs.conf

Is your required DHCP config in that file?

If my comment helps, please give it a thumbs up!
0 Karma

jmartelon
New Member

Thank you! I appreciate the feedback! I will check

0 Karma

nickhills
Ultra Champion

How did you get on with this - were you able to confirm that the config was successfully deployed to the UFs?

If my comment helps, please give it a thumbs up!
0 Karma

jmartelon
New Member

Hey there,

I apologize for the delay on this matter, but I would definitely love to share my findings.

Currently I have built a ESXi lab and I have installed the Splunk TA windows app in my Indexer and my UF.

I can see DHCP logs getting sent via index=windows sourcetype=DhcpSrvLog.

So I know the Splunk TA app works fine.

On my production side:

Here's my issue. I have multiple Domain Controllers to which are running as DHCP servers for our infrastructure, and I have found the file path it is exporting the logs to.

I believe the issue why it is not showing in my production environment is maybe due to having multiple Deployment Servers, one indexer, and a search head. VS, my lab that has one indexer, and UFs sending data.

Our DCs, we do not have access to install the Splunk_TA app...But we do have the TA app on our deployment servers...

I'm just trying to figure out the best solution with our infrastructure to get this working since I know the directory where the logs are being stored.

Any help is appreciated.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...