- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Missing DHCP tags and fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Missing DHCP tags and fields
We have installed and configured the Splunk App for Windows Infrastructure (v1.4.2) which includes inputs.conf and props.conf for Windows DHCP log files.
inputs.conf stanza
[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = windows
props.conf stanza
[source::....DhcpSrvLog]
sourcetype = DhcpSrvLog
[source::...\\(DhcpSrvLog-)...]
sourcetype = DhcpSrvLog
[DhcpSrvLog]
SHOULD_LINEMERGE = false
TRANSFORMS-0dhcp_discard_headers = dhcp_discard_headers
REPORT-0auto_kv_for_microsoft_dhcp = auto_kv_for_microsoft_dhcp
REPORT-dest_for_microsoft_dhcp = dest_nt_host_as_dest,dest_mac_as_dest,dest_ip_as_dest
LOOKUP-signature_for_microsoft_dhcp = msdhcp_signature_lookup msdhcp_id OUTPUTNEW signature
LOOKUP-vendor_info_for_microsoft_dhcp = windows_vendor_info_lookup sourcetype OUTPUT vendor,product
We have also installed the Splunk Common Information Model (v4.9.1). From the Splunk documentation "The Splunk Add-on for Windows provides Common Information Model information, the index-time and search-time knowledge for Windows events, metadata, user and group information, collaboration data, and tasks in the following formats.”
http://docs.splunk.com/Documentation/WindowsAddOn/4.8.4/User/SourcetypesandCIMdatamodelinfo
I am expecting DHCP data to be tagged with tag=dhcp and a field named signature extracted. We are getting DHCP events, but no tagging and no field extraction. Currently running Splunk Enterprise v7.0
What are we missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are indexing your data in index=windows, instead of deafult index.
You need to update the eventtypes stanza. Can you add following configuration in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/eventtypes.conf
[DhcpSrvLog]
search = index=windows sourcetype=DhcpSrvLog
#tags = dhcp network session windows
For signature field, do you have msdhcp_id field in your msdhcp_signature_lookup file ?
In case you are checking this on clustered environment, you need to ensure that props.conf configurations are presents on Search head.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I very much appreciate the fast response. We are looking at the proposed changes now.
I am curious though, if anyone knows why changes would be needed to the default Windows TA conf files to make this work?
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
