(This is my first time installing a UF.) They installed a new DHCP (Windows) server last week, and I'm trying to get Splunk installed properly. When I run index=_internal source=*metrics.log* tcpin_connections sourceIp=xxx.xx.xx.xx it's generating events from said IP address, which is the new DHCP server, but I can't get any results in the Search app.
The previous DHCP server was going in to the "main" index. Nothing in inputs.conf to reference remote file monitoring. There is a sourcetype called "DHCP" in Source Types that was manually created by the previous admin. Under the Advanced tab one of the lines is REPORT-DHCPFields. In Field transformations is REPORT-DHCPFields that was created by the previous admin.
I added the stanza below to the inputs.conf file in Splunk Enterprise, but since it wasn't in there before and didn't work, I've commented it out. (Btw, I'm not sure if the word SOURCE is supposed to be the name of the server, log file, etc or the word SOURCE.)
[monitor://C:\Windows\System32\dhcp]
crcSalt =
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+.log
index = main
sourcetype = DhcpSrvLog
This is in the inputs.conf on the UF:
[default]
host = NewServerName
###### DHCP ######
[monitor://c:\windows\system32\dhcp]
disabled = false
whitelist = Dhcp.+.log
crcSalt =
sourcetype = dhcp
alwaysOpenFile = 1
This is in the outputs.conf on the UF:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = server:port
[tcpout-server://server:port]
sslCertPath = C:\Program Files\SplunkUniversalForwarder\etc\certs\forwarder.pem
sslPassword = password
sslRootCAPath = C:\Program Files\SplunkUniversalForwarder\etc\certs\cacert.pem
(Not sure if this is supposed to be a Windows path to point to the local box or a Linux path to point to the server.)
Immediate need: I need to get the new DHCP server logs into Splunk ASAP, but I can't see anything to change to point to the new server in the GUI. Any ideas? (I'm not sure what logs to look at on the server.)
Long term need: Is this set up according to best practice? Should we be ingesting DHCP logs differently?
... View more