Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Best way to get Windows DHCP logs to Splunk

PratikPashte
Explorer
‎09-22-2021 06:09 AM

Hello,

I am trying to get Windows DHCP logs to Splunk and trying to use below way to get the same, but wanted to look if there is any better way to ingest the DHCP logs to Splunk.

Using Deployment server to get the logs with inputs.conf file,

[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = <SOURCE>
alwaysOpenFile = 1
disabled = false
index = dhcplogs
whitelist = Dhcp.+\.log
 
And then to install below app at search heads to parse the logs,
 
 
I haven't completed the setup prior to that was getting some advise if this the best way to go ahead or any other way we have to ingest it better.
 
If this the best way is there anything i need to be aware prior to the setup, Thanks in advanced.
 
 
Regards,
Pratik Pashte
 
 

 

Labels (3)
0 Karma
Reply

PratikPashte
Explorer
‎10-10-2021 11:30 PM

The only problem with this way is DHCP log file size on DC.

I am also trying with Splunk Stream app, but it is complicated to fulfil the use case,

MAC - IP - Hostname 

Details from the logs, with stream we get all the data from DORA process and I believe DHCPREQUEST and DHCPACK is where I should get the details.

 

But not able to figure out the fields, mostly I should received the desired values on this fields but not always this is true.

chaddr
yiaddr
client_fqdn

Has anyone successfully configured stream for DHCP logs and have getting the logs required for asset inventory (MAC-IP-Hostname)?

 

0 Karma
Reply

Roy_9
Motivator
‎09-22-2021 09:18 AM

Install the Splunk UF on the hosts and also push this add-on to all the UF's and install it on your SH as well which makes your job easy in field extractions.

0 Karma
Reply

PratikPashte
Explorer
‎09-22-2021 10:29 PM

Which means I am on the right track, Thanks Roy.

But would also like to understand is there any other way as well to pull the DHCP logs to Splunk?

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-22-2021 10:55 PM
I think that this is the easiest and best way to do it with splunk. Other ways are more complicated than this.
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...