Getting Data In

Monitor DHCP Logs Via Wildcard?

dscoland
Path Finder

Hi Splunk Community,

I am currently running Splunk 6.1.0 on Windows Server 2008 R2.

My goal is to monitor our DHCP logs from our Windows-based domain controllers, and have the universal forwarders forward the DHCP logs to our heavy forwarder that then filters/parsers and forwards these to our central Splunk instance.

I have the following monitor stanza set up in $SPLUNK_HOME$/UniversalForwarder/etc/system/local

[monitor:://C:\Windows\ System32\Dhcp\ DhcpSrvLog*.txt]
disabled = 0
sourcetype = dhcp
host = splunkhf1:9997

From what I have been reading, these wildcard path should work, but we are not getting any data.

Is this type of wildcard path not supported?

Thank you in advance,
Daniel

1 Solution

dshpritz
SplunkTrust
SplunkTrust

Hey dscoland,

From looking at the Splunk Add-on for Microsoft Windows it has a default input that looks like this:

[monitor://$WINDIR\System32\DHCP]
disabled = 1
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog

You could use that, or use the add-on to gather that data. Note that the add-on also contains parsing (props/transforms) for that sourcetype, so you may want to look into using it.

View solution in original post

dshpritz
SplunkTrust
SplunkTrust

Hey dscoland,

From looking at the Splunk Add-on for Microsoft Windows it has a default input that looks like this:

[monitor://$WINDIR\System32\DHCP]
disabled = 1
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog

You could use that, or use the add-on to gather that data. Note that the add-on also contains parsing (props/transforms) for that sourcetype, so you may want to look into using it.

dscoland
Path Finder

Nice, it worked! Thank you.

0 Karma

dshpritz
SplunkTrust
SplunkTrust

It doesn't have to be on all of them, just the DHCP servers.

0 Karma

dscoland
Path Finder

Do these have to be enabled on all of the Universal Forwarders?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>