Splunk® Supported Add-ons

Splunk Add-on for ISC DHCP

Configure ISC DHCP to send syslog data

The log format for ISC DHCP is not configurable. The dhcpd daemon logs to the daemon syslog facility by default, but can be configured to use any of the available facilities.

For example, to configure the daemon to log to the local0 facility, you can add the following directive to your dhcpd.conf file:

log-facility local0;

If you plan to monitor the access log file (dhcpd.log), you need to install a Splunk forwarder directly on the ISC DHCP server.

If you plan to capture syslog data over the network through a TCP or UDP port, the Splunk forwarder does not need to be installed directly on the ISC DHCP server. Configure the host and port in ISC DHCP.

To direct DHCP logs to a remote Splunk server:

1. Edit the dhcpd configuration file (dhcpd.conf) and add the following statement:

log-facility local7;

2. Edit the rsyslog configuration file (rsyslog.conf) and add the following statement:

local7.* @@<remote-host>:<port>

See the ISC DHCP documentation for more information: https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcpdconf

Next, configure your data collection node to receive data from ISC DHCP as described in Configure inputs for the Splunk Add-on for ISC DHCP.

Last modified on 21 July, 2021
Install the Splunk Add-on for ISC DHCP   Configure inputs for the Splunk Add-on for ISC DHCP

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters