Synopsis
I need to monitor all DHCP and DNS logs on a server. In the DHCP directory I want to view both DhcpSrvLog-DAY.log and DhcpV6SrvLog-DAY.log files as they rotate weekly. In the DNS directory I am fine with reading all the files because it will show me debugging information as well as DDNS entries for each zone.
What I've done
I have created The below entries in the inputs.conf file on the server with the splunk universal forwarder.
[default]
host = DaHost
[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]
disabled = 0
[monitor://C:\Windows\System32\dhcp]
disabled = 0
followTail = 0
index = dhcp
sourcetype = ms_dhcpd
_whitelist = Dhcp*.log
crcSalt = <SOURCE>
[monitor://C:\Windows\System32\dns]
disabled = 0
followTail = 0
index = win_dns
sourcetype = win_dns
_whitelist = *dns*
crcSalt = <SOURCE>
What worked
Currently the forwarder is reading my dns logs and the default assigned logs (configured during installation of the forwarder).
What is broken
There are no DHCP logs currently coming in. This was not always the case. This configuration file worked up until thursday of last week.
guesses
I am guessing that the regex line is not working for the DHCP files but i am not sure what to change to make it more accurate.
Example file names
Below are the contents of the directories i am reading in the custom monitor.
C:\Windows\System32\dhcp>dir /B
backup
dhcp.mdb
dhcp.pat
DhcpSrvLog-Fri.log
DhcpSrvLog-Mon.log
DhcpSrvLog-Sat.log
DhcpSrvLog-Sun.log
DhcpSrvLog-Thu.log
DhcpSrvLog-Tue.log
DhcpSrvLog-Wed.log
DhcpV6SrvLog-Fri.log
DhcpV6SrvLog-Mon.log
DhcpV6SrvLog-Sat.log
DhcpV6SrvLog-Sun.log
DhcpV6SrvLog-Thu.log
DhcpV6SrvLog-Tue.log
DhcpV6SrvLog-Wed.log
j50.chk
j50.log
j5003B61.log
j5003B62.log
j50res00001.jrs
j50res00002.jrs
j50tmp.log
tmp.edb
C:\Windows\System32\dns>dir /B
backup
cache.dns
dns.txt
perf.qalab.local.dns
qalab.local.dns
samples
sustain.local.dns