Getting Data In

DHCP logs not appearing on splunk

fliwei
Explorer

At the beginning of this month, the DHCP servers have stopped feeding logs into my splunk instance.

Everyday at around 12AM local time, there will only be one log entry and it only shows the "Microsoft Windows DHCP Service Activity Log" header and the codes. There are extracted from the corresponding day's DHCP log file. but the DHCP logs that follows after that did not appear in the splunk instance.

 

fliwei_0-1614838145329.png

Here is the inputs.conf which is added into the DHCP servers (installed with UF)

[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
alwaysOpenFile = 1
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = windows

 

Labels (2)
0 Karma
1 Solution

fliwei
Explorer

@scelikok I was looking around the splunk community and found someone who came up with this solution of using alwaysOpenFile. Unfortunately it didn't work.

I've have since found the solution to my problem. I installed the latest Windows TA on my intermediate forwarders, and redirected my DHCP servers to send logs through them and to splunk cloud. Previously, the DHCP servers were sending logs out to splunk cloud directly through a cloud stack. Seems like a bit of "massaging" by the intermediate forwarder did the trick.

Thanks.

View solution in original post

0 Karma

JoeCallen
Loves-to-Learn

I am having the same issue. Everything had been collecting correctly for the past year, when it suddenly stopped collecting on the Sunday of the Memorial Day weekend.  Now, at best it is only collecting the 31 line header, and ignoring the hundreds/thousands of lines below the header.

We are running Splunk Enterprise v7.2.3; using the 7.2.3 Universal Forwarder; and using the the Windows TA v6.0.0 (and will be testing v8.0.0 as a possible solution).

The "solution" provided later in this thread is not workable for me, so any other inputs would be appreciated.

0 Karma

fliwei
Explorer

Did you try to route the logs through an intermediate forwarder with the latest windows TA installed? 

I would suggest that you check the compatibility of all the apps version. I’ m using Ver.8 splunk enterprise, universal forwarder and windows TA

0 Karma

JoeCallen
Loves-to-Learn

Hi @fliwei,

Some of the DHCP servers are sending to the Indexers via a 7.2.3 UF, others are sending via the 7.2.3 UF, to 7.2.3 HF, and then to the Indexers.  No Joy.

The v6.0.0 TA and the v8.0.0 TA are compatible with Splunk v7.2.3

 

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @fliwei,

Did you check on DHCP server if it writes anything after that headers?

Why do you use alwaysOpenFile parameter? Please try below;

[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = windows

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

fliwei
Explorer

@scelikok I was looking around the splunk community and found someone who came up with this solution of using alwaysOpenFile. Unfortunately it didn't work.

I've have since found the solution to my problem. I installed the latest Windows TA on my intermediate forwarders, and redirected my DHCP servers to send logs through them and to splunk cloud. Previously, the DHCP servers were sending logs out to splunk cloud directly through a cloud stack. Seems like a bit of "massaging" by the intermediate forwarder did the trick.

Thanks.

0 Karma

Imsaga
Loves-to-Learn

Hello @fliwei

Do we have prebuilt dashboards for monitoring windows dhcp logs or its needs to be created ? 

I have installed the addon for windows dhcp

Looking for some suggestions on this!!

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...