I am having trouble getting a Splunk forwarder (4.1.2) to send Windows 2008 R2 DHCP logs back to the main Splunk indexer (4.1.2). When I first setup the forwarder to monitor the DHCP log directory, everything was working fine. Now it appears that the forwarder does not think there are any new log events to transmit. Something unique with these logs is that they have names like DhcpSrvLog-Mon.log and DhcpSrvLog-Sat.log. The logs get overwritten on a weekly basis. Should Splunk be able to detect that log names are getting reused or do I need to configure an additional setting somewhere?
Note: All other logs being captured by the forwarder are transmitting correctly.
I contacted Splunk Enterprise support and they pointed me to a solution. On the Splunk forwarder system (the one with the DHCP logs), I had to add an entry to inputs.conf in /etc/system/local/.
[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = <SOURCE>
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+\.log
The key was the "crcSalt" entry. I hope this helps others.
I contacted Splunk Enterprise support and they pointed me to a solution. On the Splunk forwarder system (the one with the DHCP logs), I had to add an entry to inputs.conf in /etc/system/local/.
[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = <SOURCE>
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+\.log
The key was the "crcSalt" entry. I hope this helps others.
I think you have to add more slashes to get this working.
[monitor://C:\Windows\System32\dhcp]
With the (“\”s added.
crcSalt =
Did it mean is to be replaced with DHCP Servers IP?
Look at this documentation Link:
https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Inputsconf
Do these files happen to have a large identical header at the beginning? Or, are the files possibly written in Unicode/UTF-16 (and Splunk is failing to detect that)?
Solved my problem !
The log files do have large headers. The header is 31 lines, and the 32nd line is when new log events appear. Is there a conf file setting I need to accommodate this? If so, does this need to be done on the forwarder or indexer?
I am not sure how to determine if the file has Unicode. Is there an easy way to check this?