Configure ISC DHCP to send syslog data
The log format for ISC DHCP is not configurable. The dhcpd
daemon logs to the daemon syslog facility by default, but can be configured to use any of the available facilities.
For example, to configure the daemon to log to the local0
facility, you can add the following directive to your dhcpd.conf
file:
log-facility local0;
If you plan to monitor the access log file (dhcpd.log
), you need to install a Splunk forwarder directly on the ISC DHCP server.
If you plan to capture syslog data over the network through a TCP or UDP port, the Splunk forwarder does not need to be installed directly on the ISC DHCP server. Configure the host and port in ISC DHCP.
To direct DHCP logs to a remote Splunk server:
1. Edit the dhcpd configuration file (dhcpd.conf
) and add the following statement:
log-facility local7;
2. Edit the rsyslog configuration file (rsyslog.conf
) and add the following statement:
local7.* @@<remote-host>:<port>
See the ISC DHCP documentation for more information: https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdconf
Next, configure your data collection node to receive data from ISC DHCP as described in Configure inputs for the Splunk Add-on for ISC DHCP.
Install the Splunk Add-on for ISC DHCP | Configure inputs for the Splunk Add-on for ISC DHCP |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!