Solved: Re: Windows DHCP Logs

Justin · ‎05-11-2010

I am having trouble getting a Splunk forwarder (4.1.2) to send Windows 2008 R2 DHCP logs back to the main Splunk indexer (4.1.2). When I first setup the forwarder to monitor the DHCP log directory, everything was working fine. Now it appears that the forwarder does not think there are any new log events to transmit. Something unique with these logs is that they have names like DhcpSrvLog-Mon.log and DhcpSrvLog-Sat.log. The logs get overwritten on a weekly basis. Should Splunk be able to detect that log names are getting reused or do I need to configure an additional setting somewhere?

Note: All other logs being captured by the forwarder are transmitting correctly.

Justin · ‎06-04-2010

I contacted Splunk Enterprise support and they pointed me to a solution. On the Splunk forwarder system (the one with the DHCP logs), I had to add an entry to inputs.conf in /etc/system/local/.

[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = <SOURCE>
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+\.log

The key was the "crcSalt" entry. I hope this helps others.

View solution in original post

Justin · ‎06-04-2010

I contacted Splunk Enterprise support and they pointed me to a solution. On the Splunk forwarder system (the one with the DHCP logs), I had to add an entry to inputs.conf in /etc/system/local/.

[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = <SOURCE>
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+\.log

The key was the "crcSalt" entry. I hope this helps others.

mcronkrite · ‎03-07-2015

I think you have to add more slashes to get this working.

[monitor://C:\Windows\System32\dhcp]

With the (“\”s added.

koolvasco · ‎11-27-2017

crcSalt =
Did it mean is to be replaced with DHCP Servers IP?

vgollapudi · ‎05-22-2018

Look at this documentation Link:

https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Inputsconf

If set to the literal string (including the angle brackets), the full directory path to the source file is added to the CRC. This ensures that each file being monitored has a unique CRC. When crcSalt is invoked, it is usually set to .

gkanapathy · ‎05-12-2010

Do these files happen to have a large identical header at the beginning? Or, are the files possibly written in Unicode/UTF-16 (and Splunk is failing to detect that)?

mgaleti · ‎11-10-2011

Solved my problem !

Justin · ‎05-12-2010

The log files do have large headers. The header is 31 lines, and the 32nd line is when new log events appear. Is there a conf file setting I need to accommodate this? If so, does this need to be done on the forwarder or indexer?

I am not sure how to determine if the file has Unicode. Is there an easy way to check this?

Windows DHCP Logs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation