Getting Data In

Windows DHCP Logs

Justin
Path Finder

I am having trouble getting a Splunk forwarder (4.1.2) to send Windows 2008 R2 DHCP logs back to the main Splunk indexer (4.1.2). When I first setup the forwarder to monitor the DHCP log directory, everything was working fine. Now it appears that the forwarder does not think there are any new log events to transmit. Something unique with these logs is that they have names like DhcpSrvLog-Mon.log and DhcpSrvLog-Sat.log. The logs get overwritten on a weekly basis. Should Splunk be able to detect that log names are getting reused or do I need to configure an additional setting somewhere?

Note: All other logs being captured by the forwarder are transmitting correctly.

Tags (1)
1 Solution

Justin
Path Finder

I contacted Splunk Enterprise support and they pointed me to a solution. On the Splunk forwarder system (the one with the DHCP logs), I had to add an entry to inputs.conf in /etc/system/local/.

[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = <SOURCE>
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+\.log

The key was the "crcSalt" entry. I hope this helps others.

View solution in original post

Justin
Path Finder

I contacted Splunk Enterprise support and they pointed me to a solution. On the Splunk forwarder system (the one with the DHCP logs), I had to add an entry to inputs.conf in /etc/system/local/.

[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = <SOURCE>
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+\.log

The key was the "crcSalt" entry. I hope this helps others.

mcronkrite
Splunk Employee
Splunk Employee

I think you have to add more slashes to get this working.

[monitor://C:\Windows\System32\dhcp]

With the (“\”s added.

0 Karma

koolvasco
Explorer

crcSalt =
Did it mean is to be replaced with DHCP Servers IP?

0 Karma

vgollapudi
Communicator

Look at this documentation Link:

https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Inputsconf

  • If set to the literal string (including the angle brackets), the full directory path to the source file is added to the CRC. This ensures that each file being monitored has a unique CRC. When crcSalt is invoked, it is usually set to .
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Do these files happen to have a large identical header at the beginning? Or, are the files possibly written in Unicode/UTF-16 (and Splunk is failing to detect that)?

mgaleti
New Member

Solved my problem !

0 Karma

Justin
Path Finder

The log files do have large headers. The header is 31 lines, and the 32nd line is when new log events appear. Is there a conf file setting I need to accommodate this? If so, does this need to be done on the forwarder or indexer?

I am not sure how to determine if the file has Unicode. Is there an easy way to check this?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...