Getting Data In

journalctl dhcpd log import?

splunkjosef
Explorer

My linux-based DHCP server running ISC DHCPD is running systemd and puts the dhcpd logs into the central logging system without creating a distinct dhcpd.log file. Instead I have to look at the logs with this command:

journalctl -u isc-dhcp-server

So I can no longer simply point my UF to the old dhcpd.log file for import into Splunk. How can I get these logs into Splunk?

0 Karma

bguilfoyle_splu
Splunk Employee
Splunk Employee

Perhaps try this as a scripted input.
Create an executable bash script with the command exec journalctl --since=now -f -u isc-dhcp-server
Add the script as an input on the forwarder:
$SPLUNK_HOME/bin/splunk add exec \
-source $SPLUNK_HOME/bin/scripts/myScriptName.sh \
-interval = 0

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...