Splunk® Supported Add-ons

Splunk Add-on for ISC DHCP

Configure inputs for the Splunk Add-on for ISC DHCP

There are two ways to capture the syslog data from ISC DHCP.

1. Create a file monitor input to monitor the access log file, dhcpd.log, generated by the ISC DHCP server or to monitor the files generated by a syslog aggregator.

2. Create a TCP or UDP input to capture the data sent on the port you have configured in ISC DHCP.

Monitor input

To configure the Splunk platform to monitor the access log file (dhcpd.log) generated by the ISC DHCP server, you can use either Splunk Web to create the monitor input or configure inputs.conf directly. If you use a syslog aggregator, you can create a file monitor input to monitor the files generated by the aggregator instead.

Configure Monitoring through Splunk Web

Configure a file monitoring input on your data collection node for the ISC DHCP server dhcpd.log file.

  1. Log into Splunk Web.
  2. Select Settings > Data inputs > Files & directories.
  3. Click New.
  4. Click Browse next to the File or Directory field.
  5. Navigate to the dhcpd.log file generated by the ISC DHCP server and click Next.
    The default location of dhcpd.log is var/log/dhcpd.log.
  6. On the Input Settings page, next to Source type, click Select. In the Select Source Type dropdown, select Network & Security, then isc:dhcp or type isc:dhcp in the search field.
  7. Click Review.
  8. After you review the information, click Submit.

Configure inputs.conf

You can create an inputs.conf file and configure the monitor input in this file instead of using Splunk Web.

  1. Using a text editor, create a file named inputs.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_isc-dhcp/local folder.
  2. Add the following stanza and lines, replacing <path> with the actual path to dhcpd.log, and save the file.
    Note: The default location of dhcpd.log is var/log/dhcpd.log. 
    [monitor://<path>]
sourcetype=isc:dhcp
disabled = 0
  3. Restart the Splunk platform in order for the new input to take effect.

TCP/UDP input

In the Splunk platform node handling data collection, configure the TCP/UDP input to match your configurations in ISC DHCP and set your source type to isc:dhcp. The CIM mapping and dashboard panels are dependent on this source type.

For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see Get data from TCP and UDP ports in the Getting Data In manual.

Validate data collection

After you configure monitoring, run this search to check that you are ingesting the data that you expect.

sourcetype=isc:dhcp

Last modified on 21 July, 2021
Configure ISC DHCP to send syslog data   Troubleshoot the Splunk Add-on for ISC DHCP

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters