An out of the box Windows DHCP Connector deployment does not capture the deviceAddress of the server which you are reading from. We can fix this with a couple of tweaks:
1) Ensure the DHCP server IP address exists in the folder structure. When configuring and sharing the DHCP logs, set up the file share as follows:
\WindowsServer\deviceIP\anotherfolder\
The folder structure doesn't matter too much as long as the deviceIP exists. An example would be
\\windowshostname\1.1.1.1\logs\
2) in the agent.properties configuration, ensure the following is set:
agents[0].extractfieldnames=deviceAddress
agents[0].extractregex=\\S+/(\\d+\\.\\d+\\.\\d+\\.\\d+)\\S+
agents[0].extractsource=File Path
agents[0].usefieldextractor=true
agents[0].usenonlockingwindowsfilereader=true
This tells the Connector to extract the deviceAddress from the File Path. The RegEx string will extract the deviceIP (in this case 1.1.1.1) and add it to the event data.
No comments:
Post a Comment