I am trying to enable DHCP logging through our deployment server. We use the Splunk_TA_Windows app.
Our directory is /opt/splunk/etc/deployment-apps/Splunk_TA_windows/local
And the DHCP settings in the inputs.conf file are here:
On our search head using index=windows, we cannot see DHCPSrvLog as a sourcetype...
inputs.conf:
[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt =
sourcetype = DhcpSrvLog
index = windows <<<<<< should this be changed to wineventlog? This is set to windows as default.
At first glance, your input looks correct, however is DHCP logging enabled on the server (its not by default)?
https://technet.microsoft.com/en-us/library/dd183684(v=ws.10).aspx
At first glance, your input looks correct, however is DHCP logging enabled on the server (its not by default)?
https://technet.microsoft.com/en-us/library/dd183684(v=ws.10).aspx
Yes, it is enabled on all of our production servers in our environment. But even if it was not, we should still be able to see the sourcetype when making a search?
Only if it has collected the log files.
A sourcetype won't exist unless there is data for it.
Some questions:
Who does the splunk forwarder run as - local System or another user?
What do you see if you run index=_internal sourcetype=splunkd series=DhcpSrvLog
have you tried searching and specifying the index: index=windows sourcetype=DhcpSrvLog
On the question about indexes - even if the index name was wrong, you would see events in main (which is where they end up by default)
Running index=_internal sourcetype=splunkd series=DhcpSrvLog shows no results.
But it does show results without the "series" parameter.
The SplunkForwarding Service is running as system.
I have also ran index=windows sourcetype=DhcpSrvLog with no results.
In the inputs.conf file, I have changed the DHCP stanza to index=wineventlog, and ran the new index search with no results.
I have since changed it back to default to run the index=windows again
Do you have an index named "windows" or "wineventlog"?
Per the conf files, we do have windows, but running an index=windows search no results come back.
I did change the DHCP index to wineventlog, and still when running a search, DhcpSrvLog shows no results.
Just to clarify -- in your indexes.conf you have a windows index and a wineventlog index specified? To me, it sounds like the forwarder is reporting to _internal fine as you mention seeing data in that index, but it sounds like there's nothing reporting to windows/wineventlog because that index is not correctly configured.
I would consider setting a value for lastChanceIndex in indexes.conf (maybe use 'main', or create a new index for this). That way if you have data that's trying to write to an index that doesn't exist, you can check your lastchance index for the data to validate.
Thank you, I appreciate the suggestion!
Just one minor detail, I do see events when doing an index=wineventlog search.
But specifically no results for DHCP.
Then I suppose the only thing left to do is to validate you're receiving DHCP logs on that server :). Take a look at that server's Event Viewer and see if it is populating the DHCP log.
Ok, seems like the forwarders are not sending data then. What were the other events you saw omitting series?
After you have made your changes in the inputs file are you reloading the ds?
/opt/splunk/bin/splunk reload deploy-server
Does the forwarder management console show the application as installed?
I am reloading the deployment server after every edit to the conf file.
And yes, it sure does. As far as running the series command series= there is no data. I apologize about that.
Can you check on one of your UF clients - look in
c:\program file\splunk universal lforwarder\etc\apps\Splunk_TA_Windows\local\inputs.conf
Is your required DHCP config in that file?
Thank you! I appreciate the feedback! I will check
How did you get on with this - were you able to confirm that the config was successfully deployed to the UFs?
Hey there,
I apologize for the delay on this matter, but I would definitely love to share my findings.
Currently I have built a ESXi lab and I have installed the Splunk TA windows app in my Indexer and my UF.
I can see DHCP logs getting sent via index=windows sourcetype=DhcpSrvLog.
So I know the Splunk TA app works fine.
On my production side:
Here's my issue. I have multiple Domain Controllers to which are running as DHCP servers for our infrastructure, and I have found the file path it is exporting the logs to.
I believe the issue why it is not showing in my production environment is maybe due to having multiple Deployment Servers, one indexer, and a search head. VS, my lab that has one indexer, and UFs sending data.
Our DCs, we do not have access to install the Splunk_TA app...But we do have the TA app on our deployment servers...
I'm just trying to figure out the best solution with our infrastructure to get this working since I know the directory where the logs are being stored.
Any help is appreciated.