Refine your search:

Windows DHCP log files "too small to match seekptr checksum"?

3
1

I'm seeing "seekptr checksum" errors for all the Microsoft's DHCP log files. Here's an example:

ERROR TailingProcessor - Ignoring path due to: File will not be read, is too small to match seekptr checksum (file=\dhcpsrv\dhcp$\DhcpSrvLog.Tue). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or contact Splunk Support for more info.

I'm a little unsure of how to use the crcSalt option that's suggested in the Admin Manual. Here's what I have in the inputs.conf file:

[monitor://\\dhcpsrv\dhcp$]
disabled = 0
followTail = 0
host = dhcpsrv
index = default
sourcetype = ms_dhcpd
crcSalt = \\dhcpsrv\dhcp$\DhcpSrvLog.*

Did I correctly defined the crcSalt parameter? FYI, Microsoft's DHCP service writes its events to 7 different files, one for each day of the week.

Thanks.

-w

asked 20 Apr '10, 16:37

williamche's gravatar image

williamche
1107
accept rate: 18%

edited 21 Apr '10, 16:53

jrodman's gravatar image

jrodman ♦
5.8k2515
3 Answers:
oldestnewestmost voted
5

You should use - 

crcSalt = <SOURCE>

Don't replace with anything, type it exactly as I have done here. This setting adds a string to the CRC of the file being monitored. If you set it to a specific source string like you have above, then the same string will be added to every file being monitored by that stanza.

By setting it to , each file's individual source path will be added to the CRC, ensuring that each one will be different. This setting is case-sensitive, so make sure you use UPPERCASE characters.

Disclaimer - applying this setting to files that have already been indexed will cause them to be re-indexed as the CRC will change. Likewise, if you roll a live file and save the old data in the same directory that you're monitoring, that file will be re-indexed as soon as the filename changes. So if you roll your files to *.log.1, or you gzip them to *.log.gz, make sure you add an _blacklist setting so Splunk will ignore them

link

answered 20 Apr '10, 16:51

Mick's gravatar image

Mick ♦
4.0k1327
accept rate: 52%

edited 17 May '10, 15:46

Thank you. I misread the example and thought that the SOURCE tag is a variable that needs to be replaced by the source file being monitored. Problem solved!

(13 May '10, 14:25) williamche
1

I think it's a mistake in how I'd entered the crcSalt option. I modified it to the following and now I'm getting all the events:

[monitor://\\dhcpsrv\dhcp$]
disabled = 0
followTail = 0
host = dhcpsrv
index = default
sourcetype = ms_dhcpd
_whitelist = DhcpSrvLog\.(Sun|Mon|Tue|Wed|Thu|Fri|Sat)$
crcSalt = <SOURCE>

I thought the "" tag used in the examples means I need to replace it with the path to the source files. I also addded a _whitelist parameter to monitor only those 7 files.

It's working so far.

link

answered 20 Apr '10, 16:52

williamche's gravatar image

williamche
1107
accept rate: 18%

1

BTW, the issue is we recognize files by their contents, and these logs all have the same header. This setting essentially tells splunk "different filenames will have different contents". Or another way of looking at it "my files don't roll, they're new names by date, and don't get renamed."

link

answered 21 Apr '10, 16:56

jrodman's gravatar image

jrodman ♦
5.8k2515
accept rate: 42%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

Asked: 20 Apr '10, 16:37

Seen: 1,250 times

Last updated: 17 May '10, 15:46

Related questions

"Checksum for seekptr didn't match" messages, then entries not found in searches

Why are my logfiles re-indexing due to a failed seekptr checksum?

Monitor Windows DHCP log file

Can Splunk index Windows Event Log(evt,evtx) files?

Windows DHCP Logs

Log files on Remote Windows Workstation

Events indexed from EVT (Windows Event Log) files show the following error in the value of the "Message" field : "Splunk could not get the description for this event (...)"

Windows DHCP latest renewal date filter

What does this TemplateLookupException error mean in the Windows DHCP app?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.