I installed the Microsoft Windows DHCP addon for Splunk to my search heads and am successfully indexing DHCP events, but the data doesn't seem to be CIM compliant per the CIM Validator app.
Here are my configs.
inputs.conf on the forwarder
[monitor://C:\dhcplogs]
sourcetype = dhcp
crcSalt = <SOURCE>
alwaysOpenFile = 1
disabled = false
whitelist = DhcpSrvLog*
index=dhcp
eventtypes.conf on the search head
[dhcp]
search = index=dhcp sourcetype=dhcp
[dhcp_start]
search = index=dhcp sourcetype=dhcp (id=10 OR id=11 OR id=13)
[dhcp_stop]
search = index=dhcp sourcetype=dhcp (id=12 OR id=16 OR id=17)
props.conf on the search head
[dhcp]
TRANSFORMS-dhcp_strip_headers = dhcp_strip_headers
REPORT-dhcplog = REPORT-dhcplog
LOOKUP-dhcp_id = dhcp_id id OUTPUTNEW level signature action
LOOKUP-quarantine = quarantine_result qresult OUTPUTNEW quarantine_info
FIELDALIAS-dhcp_cim = ip AS dest_ip, mac AS raw_mac, nt_host AS dest_nt_host
EVAL-dest_mac = lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "(\w{2})", "\1:"), ":"), 1==1, replace(raw_mac, "-|\.|\s", ":")))
EVAL-dest = coalesce(nt_host, ip, lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "^(\w{2})", "\1:"), ":"), 1==1, replace(raw_mac, "-|\.|\s", ":"))))
tags.conf on the search head
[eventtype=dhcp]
dhcp = enabled
network = enabled
session = enabled
windows = enabled
[eventtype=dhcp_start]
start = enabled
[eventtype=dhcp_stop]
stop = enabled
transforms.conf on the search head
[dhcp_id]
batch_index_query = 0
case_sensitive_match = 0
filename = dhcp_ids.csv
max_matches = 1
[dhcp_strip_headers]
REGEX = ^(?:ID|#)
DEST_KEY = queue
FORMAT = nullQueue
[REPORT-dhcplog]
DELIMS = ","
FIELDS = "id","date","time","description","ip","nt_host","mac","user","transaction_id","qresult","probation_time","correlation_id","dhcid","vendorclass_hex","vendor_ascii","userclass_hex","userclass_ascii","relay_agent","dns_reg_error"
[quarantine_result]
batch_index_query = 0
case_sensitive_match = 1
filename = dhcp_quarantine.csv
max_matches = 1
Thanks for any input.
... View more