https://community.splunk.com/t5/Splunk-Enterprise/On-what-basis-does-the-Universal-Forwarder-determine-the-source/m-p/581248#M11187 <P>As I understand it, the outbound NIC is selected by the operating system.</P> Sun, 16 Jan 2022 14:30:41 GMT richgalloway 2022-01-16T14:30:41Z https://community.splunk.com/t5/Splunk-Enterprise/On-what-basis-does-the-Universal-Forwarder-determine-the-source/m-p/581240#M11186 <P>As shown in the picture below, one workstation has 4 IP addresses (4 NIC) and sends Windows Event log to Splunk Indexer.</P><P>When I search the log collected in the indexer, I could confirm that the source IP address of logs was decided randomly among 4 IP addresses.</P><P>I don't know the source IP address is decided by what criteria, so I ask this question.</P><P>My question:<BR />1. Is the source IP address decided by what criteria?<BR />2. Is there function to decide the source IP address in the Universal Forwarder?</P><P>For your information, my network is a standalone network without external connection such as Web.</P><P>Kind regards</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Network Diagram.JPG" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17576i02F316FF04C0C7BA/image-size/medium?v=v2&amp;px=400" role="button" title="Network Diagram.JPG" alt="Network Diagram.JPG" /></span></P> Sun, 16 Jan 2022 10:47:15 GMT https://community.splunk.com/t5/Splunk-Enterprise/On-what-basis-does-the-Universal-Forwarder-determine-the-source/m-p/581240#M11186 kevinsteeee 2022-01-16T10:47:15Z https://community.splunk.com/t5/Splunk-Enterprise/On-what-basis-does-the-Universal-Forwarder-determine-the-source/m-p/581248#M11187 <P>As I understand it, the outbound NIC is selected by the operating system.</P> Sun, 16 Jan 2022 14:30:41 GMT https://community.splunk.com/t5/Splunk-Enterprise/On-what-basis-does-the-Universal-Forwarder-determine-the-source/m-p/581248#M11187 richgalloway 2022-01-16T14:30:41Z https://community.splunk.com/t5/Splunk-Enterprise/On-what-basis-does-the-Universal-Forwarder-determine-the-source/m-p/581256#M11189 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/58370">@kevinsteeee</a>&nbsp;</P><P>The host's routing table determines the default destination for non-local traffic.</P><P>Typically, a host with multiple interfaces would have a single default route associated with the highest priority interface. In this example, non-local traffic would traverse eth0 and have source address 192.168.100.100:</P><LI-CODE lang="python">$ route -n Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.100.1 0.0.0.0 UG 100 0 0 eth0 192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 192.168.101.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1 192.168.102.0 0.0.0.0 255.255.255.0 U 102 0 0 eth2 192.168.103.0 0.0.0.0 255.255.255.0 U 103 0 0 eth3</LI-CODE><P>If you have multiple addresses associated with one interface, you should still have one default route:</P><LI-CODE lang="javascript">$ route -n Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.100.1 0.0.0.0 UG 100 0 0 eth0 192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 192.168.101.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 192.168.102.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 192.168.103.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0</LI-CODE><P>If, however, you have multiple default routes, they may be selected in a round-robin fashion, and your source address would vary between .100.100, .101.100, .102.100, and .103.100.</P><LI-CODE lang="javascript">$ route -n Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.100.1 0.0.0.0 UG 100 0 0 eth0 0.0.0.0 192.168.101.1 0.0.0.0 UG 100 0 0 eth0 0.0.0.0 192.168.102.1 0.0.0.0 UG 100 0 0 eth0 0.0.0.0 192.168.103.1 0.0.0.0 UG 100 0 0 eth0 192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 192.168.101.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 192.168.102.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 192.168.103.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0</LI-CODE><P>Routing table or policy management varies by operating environment.</P> Sun, 16 Jan 2022 16:54:06 GMT https://community.splunk.com/t5/Splunk-Enterprise/On-what-basis-does-the-Universal-Forwarder-determine-the-source/m-p/581256#M11189 tscroggins 2022-01-16T16:54:06Z https://community.splunk.com/t5/Splunk-Enterprise/On-what-basis-does-the-Universal-Forwarder-determine-the-source/m-p/581258#M11190 <P>I'm grateful for your detailed explanation. Thanks to your help,&nbsp; I was able to understand it. Many thanks for your kind help.</P><P>&nbsp;</P><P>Kind regards</P> Sun, 16 Jan 2022 17:39:25 GMT https://community.splunk.com/t5/Splunk-Enterprise/On-what-basis-does-the-Universal-Forwarder-determine-the-source/m-p/581258#M11190 kevinsteeee 2022-01-16T17:39:25Z https://community.splunk.com/t5/Splunk-Enterprise/On-what-basis-does-the-Universal-Forwarder-determine-the-source/m-p/581271#M11193 <P>It's also worth noting that there is no such thing as "source ip of logs" in a general sense.</P><P>Yes, you can in some cases get the ip of the connection and push it into a field (especially if you have some intermediate processing layer) but in general sense IP of a connection over which the data is pushed is one thing and data in the event itself is another thing. Especially in case of windows event logs which often do not include any form of ip information.</P> Sun, 16 Jan 2022 23:56:03 GMT https://community.splunk.com/t5/Splunk-Enterprise/On-what-basis-does-the-Universal-Forwarder-determine-the-source/m-p/581271#M11193 PickleRick 2022-01-16T23:56:03Z https://community.splunk.com/t5/Splunk-Enterprise/On-what-basis-does-the-Universal-Forwarder-determine-the-source/m-p/581282#M11195 <P>There is no other way. Splunk forwarder (and any other component) is typically run as a non-administrative user so has no way of performing low-level tasks like manipulating routing.</P><P>It just creates a socket and opens a connection to the destination server using OS library calls and the rest is up to the system.</P> Mon, 17 Jan 2022 06:28:25 GMT https://community.splunk.com/t5/Splunk-Enterprise/On-what-basis-does-the-Universal-Forwarder-determine-the-source/m-p/581282#M11195 PickleRick 2022-01-17T06:28:25Z