We have installed and configured the Splunk App for Windows Infrastructure (v1.4.2) which includes inputs.conf and props.conf for Windows DHCP log files.
inputs.conf stanza
[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = windows
props.conf stanza
[source::....DhcpSrvLog]
sourcetype = DhcpSrvLog
[source::...\\(DhcpSrvLog-)...]
sourcetype = DhcpSrvLog
[DhcpSrvLog]
SHOULD_LINEMERGE = false
TRANSFORMS-0dhcp_discard_headers = dhcp_discard_headers
REPORT-0auto_kv_for_microsoft_dhcp = auto_kv_for_microsoft_dhcp
REPORT-dest_for_microsoft_dhcp = dest_nt_host_as_dest,dest_mac_as_dest,dest_ip_as_dest
LOOKUP-signature_for_microsoft_dhcp = msdhcp_signature_lookup msdhcp_id OUTPUTNEW signature
LOOKUP-vendor_info_for_microsoft_dhcp = windows_vendor_info_lookup sourcetype OUTPUT vendor,product
We have also installed the Splunk Common Information Model (v4.9.1). From the Splunk documentation "The Splunk Add-on for Windows provides Common Information Model information, the index-time and search-time knowledge for Windows events, metadata, user and group information, collaboration data, and tasks in the following formats.”
http://docs.splunk.com/Documentation/WindowsAddOn/4.8.4/User/SourcetypesandCIMdatamodelinfo
I am expecting DHCP data to be tagged with tag=dhcp and a field named signature extracted. We are getting DHCP events, but no tagging and no field extraction. Currently running Splunk Enterprise v7.0
What are we missing?
... View more