Getting Data In

journalctl dhcpd log import?


My linux-based DHCP server running ISC DHCPD is running systemd and puts the dhcpd logs into the central logging system without creating a distinct dhcpd.log file. Instead I have to look at the logs with this command:

journalctl -u isc-dhcp-server

So I can no longer simply point my UF to the old dhcpd.log file for import into Splunk. How can I get these logs into Splunk?

0 Karma

Splunk Employee
Splunk Employee

Perhaps try this as a scripted input.
Create an executable bash script with the command exec journalctl --since=now -f -u isc-dhcp-server
Add the script as an input on the forwarder:
$SPLUNK_HOME/bin/splunk add exec \
-source $SPLUNK_HOME/bin/scripts/ \
-interval = 0

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...