(This is my first time installing a UF.) They installed a new DHCP (Windows) server last week, and I'm trying to get Splunk installed properly. When I run index=_internal source=*metrics.log* tcpin_connections sourceIp=xxx.xx.xx.xx
it's generating events from said IP address, which is the new DHCP server, but I can't get any results in the Search app.
The previous DHCP server was going in to the "main" index. Nothing in inputs.conf to reference remote file monitoring. There is a sourcetype called "DHCP" in Source Types that was manually created by the previous admin. Under the Advanced tab one of the lines is REPORT-DHCPFields. In Field transformations is REPORT-DHCPFields that was created by the previous admin.
I added the stanza below to the inputs.conf file in Splunk Enterprise, but since it wasn't in there before and didn't work, I've commented it out. (Btw, I'm not sure if the word SOURCE is supposed to be the name of the server, log file, etc or the word SOURCE.)
[monitor://C:\Windows\System32\dhcp]
crcSalt =
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+.log
index = main
sourcetype = DhcpSrvLog
This is in the inputs.conf on the UF:
[default]
host = NewServerName
###### DHCP ######
[monitor://c:\windows\system32\dhcp]
disabled = false
whitelist = Dhcp.+.log
crcSalt =
sourcetype = dhcp
alwaysOpenFile = 1
This is in the outputs.conf on the UF:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = server:port
[tcpout-server://server:port]
sslCertPath = C:\Program Files\SplunkUniversalForwarder\etc\certs\forwarder.pem
sslPassword = password
sslRootCAPath = C:\Program Files\SplunkUniversalForwarder\etc\certs\cacert.pem
(Not sure if this is supposed to be a Windows path to point to the local box or a Linux path to point to the server.)
Immediate need: I need to get the new DHCP server logs into Splunk ASAP, but I can't see anything to change to point to the new server in the GUI. Any ideas? (I'm not sure what logs to look at on the server.)
Long term need: Is this set up according to best practice? Should we be ingesting DHCP logs differently?
Its a good idea to specify the index in the UF inputs.conf - you don't appear to have this.
Add index = main
to the existing stanza so it reads:
[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = <source>
alwaysOpenFile = 1
disabled = false
index = main
whitelist = Dhcp.+.log
It was an SSL issue. Once I got the certs installed and the paths correct, it worked. But now I'm having a problem with the logs. I added the stanza from your post above and am getting some logs in the early morning. But for the rest of the day, I only see 1 entry from a DHCPV6 log.
Thank you for your help! Unfortunately, it didn't work. Got any more ideas? Yes, crcSalt has the word source in both places. And thanks for the note about the code. I saw the message pop up when I posted, but I guess I should've hit cancel instead of OK, because then it wouldn't let me back out and change it. I'll do that next time.
Also - when you post config/search queries, you should use the code formatter - the icon which looks like 101010
as it prevents some of your config being stripped out - Your original post looks like crcSalt is empty, but I presume it is actually set to crcSalt = <source>