Solved: Monitor dhcp log with a app from a deployment serv...

fisk12 · ‎10-04-2015

What is the bare minumum files on a deployment-app?
In this case i want to monitor the dhcp log files on a windows server (i control the client with a deployment-server)

Right now i only have one file in /opt/splunk/etc/deployment-apps/DHCP/local/inputs.conf

[monitor://$WINDIR\System32\DHCP]
disabled = 1
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog

host = 192.168.1.1:9997

muebel · ‎10-04-2015

You can totally have an app with just a single config file. Assign it to the serverclass, reload the class, and all servers in that class will pull it down and restart or not depending on how you've configured that class.

View solution in original post

muebel · ‎10-04-2015

You can totally have an app with just a single config file. Assign it to the serverclass, reload the class, and all servers in that class will pull it down and restart or not depending on how you've configured that class.

fisk12 · ‎10-04-2015

Ok!
Do you think my config is looking alright btw?

muebel · ‎10-04-2015

The file path looks a bit off. I'd check the windows app for reference : https://splunkbase.splunk.com/app/742/

[monitor://$WINDIR\System32\DHCP]
 disabled = 1
 whitelist = DhcpSrvLog*
 crcSalt = <SOURCE>
 sourcetype = DhcpSrvLog

You'll want to set disable = 0 of course to actually enable the input when you are ready.

fisk12 · ‎10-04-2015

Yeah, this is from the windows app:

DHCP

[monitor://$WINDIR\System32\DHCP]
disabled = 1
whitelist = DhcpSrvLog*
crcSalt =
sourcetype = DhcpSrvLog
index = windows

Monitor dhcp log with a app from a deployment server

DHCP

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud