I have Splunk Universal Forwarders on 4 Windows 2012R2 servers, monitoring the DHCP server logs with this stanza:
[monitor://Z:\dhcp\logs]
disabled = 0
sourcetype = DhcpSrvLog
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
initCrcLength = 2000
That works when I started the forwarder. But I found that the forwarder stopped sending new logs to my indexers at midnight sharp, which I don't know if it has something to do with the fact that the log for today has a timestamp of midnight yesterday:
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 2/4/2015 12:00 AM 146695986 DhcpSrvLog-Tue.log
-a--- 2/4/2015 12:00 AM 138881102 DhcpSrvLog-Wed.log
At that point, I added an "alwaysOpenFile = 1" item in the stanza to see if that solves the problem. But I came in this morning to find that it had changed nothing whatsoever.
Soooo, what else can I do to handle this Microsoft beast?
[Edit]: Not sure if (or how) this could be a factor: The folder in the monitor stanza "Z:/dhcp/logs" is a Windows symbolic link to a folder "E:/dhcp/logs_<HOSTNAME>" -- those forward slashes (/) are replacement of back slashes in Windows, of course.
Well, my monitor stanza actually did work.
I guess I wasn't patient enough after I put in "alwaysOpenFile = 1", which I believe is what made Splunk deal with the log file rotation correctly, in combination with "initCrcLength = 2000".
I don't believe that "*crcSalt = *" is needed in this case but I am not going to change the stanza at this point as that does no harm either.
Well, my monitor stanza actually did work.
I guess I wasn't patient enough after I put in "alwaysOpenFile = 1", which I believe is what made Splunk deal with the log file rotation correctly, in combination with "initCrcLength = 2000".
I don't believe that "*crcSalt = *" is needed in this case but I am not going to change the stanza at this point as that does no harm either.