Monitoring Splunk

Windows DHCP log files "too small to match seekptr checksum"?

williamche
Path Finder

I'm seeing "seekptr checksum" errors for all the Microsoft's DHCP log files. Here's an example:

ERROR TailingProcessor - Ignoring path due to: File will not be read, is too small to match seekptr checksum (file=\dhcpsrv\dhcp$\DhcpSrvLog.Tue). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or contact Splunk Support for more info.

I'm a little unsure of how to use the crcSalt option that's suggested in the Admin Manual. Here's what I have in the inputs.conf file:

[monitor://\\dhcpsrv\dhcp$]
disabled = 0
followTail = 0
host = dhcpsrv
index = default
sourcetype = ms_dhcpd
crcSalt = \\dhcpsrv\dhcp$\DhcpSrvLog.*

Did I correctly defined the crcSalt parameter? FYI, Microsoft's DHCP service writes its events to 7 different files, one for each day of the week.

Thanks.

-w

3 Solutions

Mick
Splunk Employee
Splunk Employee

You should use -

crcSalt = <SOURCE>

Don't replace with anything, type it exactly as I have done here. This setting adds a string to the CRC of the file being monitored. If you set it to a specific source string like you have above, then the same string will be added to every file being monitored by that stanza.

By setting it to ``, each file's individual source path will be added to the CRC, ensuring that each one will be different. This setting is case-sensitive, so make sure you use UPPERCASE characters.

Disclaimer - applying this setting to files that have already been indexed will cause them to be re-indexed as the CRC will change. Likewise, if you roll a live file and save the old data in the same directory that you're monitoring, that file will be re-indexed as soon as the filename changes. So if you roll your files to *.log.1, or you gzip them to *.log.gz, make sure you add an _blacklist setting so Splunk will ignore them

View solution in original post

williamche
Path Finder

I think it's a mistake in how I'd entered the crcSalt option. I modified it to the following and now I'm getting all the events:

[monitor://\\dhcpsrv\dhcp$]
disabled = 0
followTail = 0
host = dhcpsrv
index = default
sourcetype = ms_dhcpd
_whitelist = DhcpSrvLog\.(Sun|Mon|Tue|Wed|Thu|Fri|Sat)$
crcSalt = <SOURCE>

I thought the "" tag used in the examples means I need to replace it with the path to the source files. I also addded a _whitelist parameter to monitor only those 7 files.

It's working so far.

View solution in original post

jrodman
Splunk Employee
Splunk Employee

BTW, the issue is we recognize files by their contents, and these logs all have the same header. This setting essentially tells splunk "different filenames will have different contents". Or another way of looking at it "my files don't roll, they're new names by date, and don't get renamed."

View solution in original post

jrodman
Splunk Employee
Splunk Employee

BTW, the issue is we recognize files by their contents, and these logs all have the same header. This setting essentially tells splunk "different filenames will have different contents". Or another way of looking at it "my files don't roll, they're new names by date, and don't get renamed."

williamche
Path Finder

I think it's a mistake in how I'd entered the crcSalt option. I modified it to the following and now I'm getting all the events:

[monitor://\\dhcpsrv\dhcp$]
disabled = 0
followTail = 0
host = dhcpsrv
index = default
sourcetype = ms_dhcpd
_whitelist = DhcpSrvLog\.(Sun|Mon|Tue|Wed|Thu|Fri|Sat)$
crcSalt = <SOURCE>

I thought the "" tag used in the examples means I need to replace it with the path to the source files. I also addded a _whitelist parameter to monitor only those 7 files.

It's working so far.

kimikoyan
Explorer

I just met this issue and solved it by add crcSalt = to inputs.conf in forwarder server. Thank you very much.

0 Karma

Mick
Splunk Employee
Splunk Employee

You should use -

crcSalt = <SOURCE>

Don't replace with anything, type it exactly as I have done here. This setting adds a string to the CRC of the file being monitored. If you set it to a specific source string like you have above, then the same string will be added to every file being monitored by that stanza.

By setting it to ``, each file's individual source path will be added to the CRC, ensuring that each one will be different. This setting is case-sensitive, so make sure you use UPPERCASE characters.

Disclaimer - applying this setting to files that have already been indexed will cause them to be re-indexed as the CRC will change. Likewise, if you roll a live file and save the old data in the same directory that you're monitoring, that file will be re-indexed as soon as the filename changes. So if you roll your files to *.log.1, or you gzip them to *.log.gz, make sure you add an _blacklist setting so Splunk will ignore them

alacercogitatus
SplunkTrust
SplunkTrust

I know it's old, but I'm adding this for future ref. We found that with a Windows 2003R2 DHCP server, the Crc length of 256 (default) the length was not sufficient. We added initCrcLength = 2000 (Splunk >=5) to compensate for 1174 bytes of header.

0 Karma

puneethgowda
Communicator

Thanks you so so very very much dear alacercogitatus because since morning i was struggling to fix my logs problem your suggestion initCrcLength = 2000 helped me a lot thank you so much once again

0 Karma

williamche
Path Finder

Thank you. I misread the example and thought that the SOURCE tag is a variable that needs to be replaced by the source file being monitored. Problem solved!

0 Karma

paco_zheng
New Member

DHCP configured LOG configuration file, please send it (paco_zheng@rainbowtehc.net.cn), thank you!

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...