Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows DHCP Logs

Justin
Path Finder
‎05-11-2010 10:18 PM

I am having trouble getting a Splunk forwarder (4.1.2) to send Windows 2008 R2 DHCP logs back to the main Splunk indexer (4.1.2). When I first setup the forwarder to monitor the DHCP log directory, everything was working fine. Now it appears that the forwarder does not think there are any new log events to transmit. Something unique with these logs is that they have names like DhcpSrvLog-Mon.log and DhcpSrvLog-Sat.log. The logs get overwritten on a weekly basis. Should Splunk be able to detect that log names are getting reused or do I need to configure an additional setting somewhere?

Note: All other logs being captured by the forwarder are transmitting correctly.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Justin
Path Finder
‎06-04-2010 06:41 PM

I contacted Splunk Enterprise support and they pointed me to a solution. On the Splunk forwarder system (the one with the DHCP logs), I had to add an entry to inputs.conf in /etc/system/local/.

[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = <SOURCE>
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+\.log

The key was the "crcSalt" entry. I hope this helps others.

View solution in original post

Reply
Solved! Jump to solution
Solution

Justin
Path Finder
‎06-04-2010 06:41 PM

I contacted Splunk Enterprise support and they pointed me to a solution. On the Splunk forwarder system (the one with the DHCP logs), I had to add an entry to inputs.conf in /etc/system/local/.

[monitor://C:\Windows\System32\dhcp]
sourcetype = dhcp
crcSalt = <SOURCE>
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+\.log

The key was the "crcSalt" entry. I hope this helps others.

Reply
Solved! Jump to solution

mcronkrite
Splunk Employee
Splunk Employee
‎03-07-2015 12:06 PM

I think you have to add more slashes to get this working.

[monitor://C:\Windows\System32\dhcp]

With the (“\”s added.

0 Karma
Reply
Solved! Jump to solution

koolvasco
Explorer
‎11-27-2017 02:49 AM

crcSalt =
Did it mean is to be replaced with DHCP Servers IP?

0 Karma
Reply
Solved! Jump to solution

vgollapudi
Communicator
‎05-22-2018 04:39 PM

Look at this documentation Link:

https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Inputsconf

  • If set to the literal string (including the angle brackets), the full directory path to the source file is added to the CRC. This ensures that each file being monitored has a unique CRC. When crcSalt is invoked, it is usually set to .
0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-12-2010 03:38 AM

Do these files happen to have a large identical header at the beginning? Or, are the files possibly written in Unicode/UTF-16 (and Splunk is failing to detect that)?

Reply
Solved! Jump to solution

mgaleti
New Member
‎11-10-2011 11:38 AM

Solved my problem !

0 Karma
Reply
Solved! Jump to solution

Justin
Path Finder
‎05-12-2010 05:00 PM

The log files do have large headers. The header is 31 lines, and the 32nd line is when new log events appear. Is there a conf file setting I need to accommodate this? If so, does this need to be done on the forwarder or indexer?

I am not sure how to determine if the file has Unicode. Is there an easy way to check this?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...