At the beginning of this month, the DHCP servers have stopped feeding logs into my splunk instance. Everyday at around 12AM local time, there will only be one log entry and it only shows the "Microsoft Windows DHCP Service Activity Log" header and the codes. There are extracted from the corresponding day's DHCP log file. but the DHCP logs that follows after that did not appear in the splunk instance. Here is the inputs.conf which is added into the DHCP servers (installed with UF) [monitor://$WINDIR\System32\DHCP] disabled = 0 whitelist = DhcpSrvLog* alwaysOpenFile = 1 crcSalt = <SOURCE> sourcetype = DhcpSrvLog index = windows
... View more