Hello,
I am trying to get Windows DHCP logs to Splunk and trying to use below way to get the same, but wanted to look if there is any better way to ingest the DHCP logs to Splunk.
Using Deployment server to get the logs with inputs.conf file,
The only problem with this way is DHCP log file size on DC.
I am also trying with Splunk Stream app, but it is complicated to fulfil the use case,
MAC - IP - Hostname
Details from the logs, with stream we get all the data from DORA process and I believe DHCPREQUEST and DHCPACK is where I should get the details.
But not able to figure out the fields, mostly I should received the desired values on this fields but not always this is true.
chaddr
yiaddr
client_fqdn
Has anyone successfully configured stream for DHCP logs and have getting the logs required for asset inventory (MAC-IP-Hostname)?
Install the Splunk UF on the hosts and also push this add-on to all the UF's and install it on your SH as well which makes your job easy in field extractions.
Which means I am on the right track, Thanks Roy.
But would also like to understand is there any other way as well to pull the DHCP logs to Splunk?