Installation

Can't see DHCP logs from Windows server in Search

tecooper
Explorer

(This is my first time installing a UF.) They installed a new DHCP (Windows) server last week, and I'm trying to get Splunk installed properly. When I run index=_internal source=*metrics.log* tcpin_connections sourceIp=xxx.xx.xx.xx it's generating events from said IP address, which is the new DHCP server, but I can't get any results in the Search app.

The previous DHCP server was going in to the "main" index. Nothing in inputs.conf to reference remote file monitoring. There is a sourcetype called "DHCP" in Source Types that was manually created by the previous admin. Under the Advanced tab one of the lines is REPORT-DHCPFields. In Field transformations is REPORT-DHCPFields that was created by the previous admin.

I added the stanza below to the inputs.conf file in Splunk Enterprise, but since it wasn't in there before and didn't work, I've commented it out. (Btw, I'm not sure if the word SOURCE is supposed to be the name of the server, log file, etc or the word SOURCE.)

[monitor://C:\Windows\System32\dhcp]
crcSalt = 
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+.log
index = main
sourcetype = DhcpSrvLog

This is in the inputs.conf on the UF:

[default]
host = NewServerName

###### DHCP ######
[monitor://c:\windows\system32\dhcp]
disabled = false
whitelist = Dhcp.+.log
crcSalt = 
sourcetype = dhcp
alwaysOpenFile = 1

This is in the outputs.conf on the UF:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = server:port

[tcpout-server://server:port]
sslCertPath = C:\Program Files\SplunkUniversalForwarder\etc\certs\forwarder.pem
sslPassword = password
sslRootCAPath = C:\Program Files\SplunkUniversalForwarder\etc\certs\cacert.pem
(Not sure if this is supposed to be a Windows path to point to the local box or a Linux path to point to the server.)

Immediate need: I need to get the new DHCP server logs into Splunk ASAP, but I can't see anything to change to point to the new server in the GUI. Any ideas? (I'm not sure what logs to look at on the server.)

Long term need: Is this set up according to best practice? Should we be ingesting DHCP logs differently?

Tags (2)
0 Karma

nickhills
Ultra Champion

Its a good idea to specify the index in the UF inputs.conf - you don't appear to have this.
Add index = main to the existing stanza so it reads:

[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = <source>
alwaysOpenFile = 1
disabled = false
index = main
whitelist = Dhcp.+.log
If my comment helps, please give it a thumbs up!
0 Karma

tecooper
Explorer

It was an SSL issue. Once I got the certs installed and the paths correct, it worked. But now I'm having a problem with the logs. I added the stanza from your post above and am getting some logs in the early morning. But for the rest of the day, I only see 1 entry from a DHCPV6 log.

0 Karma

tecooper
Explorer

Thank you for your help! Unfortunately, it didn't work. Got any more ideas? Yes, crcSalt has the word source in both places. And thanks for the note about the code. I saw the message pop up when I posted, but I guess I should've hit cancel instead of OK, because then it wouldn't let me back out and change it. I'll do that next time.

0 Karma

nickhills
Ultra Champion

Also - when you post config/search queries, you should use the code formatter - the icon which looks like 101010 as it prevents some of your config being stripped out - Your original post looks like crcSalt is empty, but I presume it is actually set to crcSalt = <source>

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...