I did as you recommended, although the only difference between what came shipped and the change recommended above was:
REGEX=sdhcpd[.+]:s
I enabled syslog on my Infoblox to to forward my Splunk server on port 514 (tcp) (I am installing a syslog-ng server on another host later).
My data appears as "sourcetype = syslog", and "process = dhcpd"; nothing else unusual.
I am however only able to see data for "DHCP Events", no results found for DHCP Operations, or anything reporting MAC addresses.
Examples of my logs:
<30>Aug 21 08:03:58 192.168.1.5 dhcpd[1234]: DHCPINFORM from 192.168.1.238 via 192.168.1.1 : unknown subnet for client address 192.168.1.238
<30>Aug 21 08:05:12 192.168.1.5 named[5678]: client 192.168.1.15#16804: received notify for zone '192.in-addr.arpa'
<30>Aug 21 08:05:18 192.168.1.5 dhcpd[1234]: DHCPINFORM from 192.168.1.206 via 192.168.1.1 : unknown subnet for client address 192.168.1.206
I am also getting these error messages:
The lookup table 'dhcpd_cef-lookup' does not exist. It is referenced by configuration 'dhcpd'.
The lookup table 'dhcpd_cef-lookup' does not exist. It is referenced by configuration 'syslog'.
The lookup table 'dhcpd_mac-vendorname' does not exist. It is referenced by configuration 'dhcpd'.
The lookup table 'dhcpd_mac-vendorname' does not exist. It is referenced by configuration 'syslog'.
By the way, any help on getting DNS data from Infoblox also working would be greatly appreciated.
Thank you!
... View more