Solved: DHCP logs not appearing on splunk

fliwei · ‎03-03-2021

At the beginning of this month, the DHCP servers have stopped feeding logs into my splunk instance.

Everyday at around 12AM local time, there will only be one log entry and it only shows the "Microsoft Windows DHCP Service Activity Log" header and the codes. There are extracted from the corresponding day's DHCP log file. but the DHCP logs that follows after that did not appear in the splunk instance.

Here is the inputs.conf which is added into the DHCP servers (installed with UF)

[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
alwaysOpenFile = 1
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = windows

fliwei · ‎03-04-2021

@scelikok I was looking around the splunk community and found someone who came up with this solution of using alwaysOpenFile. Unfortunately it didn't work.

I've have since found the solution to my problem. I installed the latest Windows TA on my intermediate forwarders, and redirected my DHCP servers to send logs through them and to splunk cloud. Previously, the DHCP servers were sending logs out to splunk cloud directly through a cloud stack. Seems like a bit of "massaging" by the intermediate forwarder did the trick.

Thanks.

View solution in original post

JoeCallen · ‎06-11-2021

I am having the same issue. Everything had been collecting correctly for the past year, when it suddenly stopped collecting on the Sunday of the Memorial Day weekend. Now, at best it is only collecting the 31 line header, and ignoring the hundreds/thousands of lines below the header.

We are running Splunk Enterprise v7.2.3; using the 7.2.3 Universal Forwarder; and using the the Windows TA v6.0.0 (and will be testing v8.0.0 as a possible solution).

The "solution" provided later in this thread is not workable for me, so any other inputs would be appreciated.

fliwei · ‎06-11-2021

Did you try to route the logs through an intermediate forwarder with the latest windows TA installed?

I would suggest that you check the compatibility of all the apps version. I’ m using Ver.8 splunk enterprise, universal forwarder and windows TA

JoeCallen · ‎06-11-2021

Hi @fliwei,

Some of the DHCP servers are sending to the Indexers via a 7.2.3 UF, others are sending via the 7.2.3 UF, to 7.2.3 HF, and then to the Indexers. No Joy.

The v6.0.0 TA and the v8.0.0 TA are compatible with Splunk v7.2.3

scelikok · ‎03-04-2021

Hi @fliwei,

Did you check on DHCP server if it writes anything after that headers?

Why do you use alwaysOpenFile parameter? Please try below;

[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = windows

If this reply helps you an upvote and "Accept as Solution" is appreciated.

fliwei · ‎03-04-2021

@scelikok I was looking around the splunk community and found someone who came up with this solution of using alwaysOpenFile. Unfortunately it didn't work.

I've have since found the solution to my problem. I installed the latest Windows TA on my intermediate forwarders, and redirected my DHCP servers to send logs through them and to splunk cloud. Previously, the DHCP servers were sending logs out to splunk cloud directly through a cloud stack. Seems like a bit of "massaging" by the intermediate forwarder did the trick.

Thanks.

Imsaga · ‎06-14-2021

Hello @fliwei

Do we have prebuilt dashboards for monitoring windows dhcp logs or its needs to be created ?

I have installed the addon for windows dhcp

Looking for some suggestions on this!!

DHCP logs not appearing on splunk

inputs.conf

universal forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?