Deployment Architecture

Monitor dhcp log with a app from a deployment server

Path Finder

What is the bare minumum files on a deployment-app?
In this case i want to monitor the dhcp log files on a windows server (i control the client with a deployment-server)

Right now i only have one file in /opt/splunk/etc/deployment-apps/DHCP/local/inputs.conf

[monitor://$WINDIR\System32\DHCP]
disabled = 1
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog

host = 192.168.1.1:9997

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You can totally have an app with just a single config file. Assign it to the serverclass, reload the class, and all servers in that class will pull it down and restart or not depending on how you've configured that class.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

You can totally have an app with just a single config file. Assign it to the serverclass, reload the class, and all servers in that class will pull it down and restart or not depending on how you've configured that class.

View solution in original post

0 Karma

Path Finder

Ok!
Do you think my config is looking alright btw?

0 Karma

SplunkTrust
SplunkTrust

The file path looks a bit off. I'd check the windows app for reference : https://splunkbase.splunk.com/app/742/

[monitor://$WINDIR\System32\DHCP]
 disabled = 1
 whitelist = DhcpSrvLog*
 crcSalt = <SOURCE>
 sourcetype = DhcpSrvLog

You'll want to set disable = 0 of course to actually enable the input when you are ready.

0 Karma

Path Finder

Yeah, this is from the windows app:

DHCP

[monitor://$WINDIR\System32\DHCP]
disabled = 1
whitelist = DhcpSrvLog*
crcSalt =
sourcetype = DhcpSrvLog
index = windows

0 Karma