Getting Data In
Highlighted

Monitor DHCP Logs Via Wildcard?

Path Finder

Hi Splunk Community,

I am currently running Splunk 6.1.0 on Windows Server 2008 R2.

My goal is to monitor our DHCP logs from our Windows-based domain controllers, and have the universal forwarders forward the DHCP logs to our heavy forwarder that then filters/parsers and forwards these to our central Splunk instance.

I have the following monitor stanza set up in $SPLUNK_HOME$/UniversalForwarder/etc/system/local

[monitor:://C:\Windows\ System32\Dhcp\ DhcpSrvLog*.txt]
disabled = 0
sourcetype = dhcp
host = splunkhf1:9997

From what I have been reading, these wildcard path should work, but we are not getting any data.

Is this type of wildcard path not supported?

Thank you in advance,
Daniel

Highlighted

Re: Monitor DHCP Logs Via Wildcard?

SplunkTrust
SplunkTrust

Hey dscoland,

From looking at the Splunk Add-on for Microsoft Windows it has a default input that looks like this:

[monitor://$WINDIR\System32\DHCP]
disabled = 1
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog

You could use that, or use the add-on to gather that data. Note that the add-on also contains parsing (props/transforms) for that sourcetype, so you may want to look into using it.

View solution in original post

Highlighted

Re: Monitor DHCP Logs Via Wildcard?

Path Finder

Do these have to be enabled on all of the Universal Forwarders?

0 Karma
Highlighted

Re: Monitor DHCP Logs Via Wildcard?

SplunkTrust
SplunkTrust

It doesn't have to be on all of them, just the DHCP servers.

0 Karma
Highlighted

Re: Monitor DHCP Logs Via Wildcard?

Path Finder

Nice, it worked! Thank you.

0 Karma