topic Re: Identify IP address from host in Getting Data In

Identify IP address from host

rameshlpatel — Thu, 03 Apr 2014 16:24:29 GMT

Hi,

We are seeing two suspicious servers which are sending syslogs in huge count.

and Upto my knowledge, we didn’t setup these two servers with forwarders or any splunk setup.

So how we can find out original servers which are sending logs to indexer ?

Re: Identify IP address from host

somesoni2 — Thu, 03 Apr 2014 18:24:17 GMT

If you browse the syslog, you should be able to see host field. You can get IP of the server by doing nslookup.

Re: Identify IP address from host

lukejadamec — Thu, 03 Apr 2014 18:26:04 GMT

If you have configured Splunk to listen to udp:514, then you did configure Splunk to collect data on any server that sends syslog data on udp:514.

Re: Identify IP address from host

linu1988 — Sat, 05 Apr 2014 07:38:43 GMT

Use Deploy Monitor app(All Forwarder View) for checking which are the forwarders sending data.

In inputs.conf mention the ip address which should only be accepted from.

acceptFrom = <network_acl> ...
* Lists a set of networks or addresses to accept connections from.
 These rules are separated by commas or spaces
* Each rule can be in the following forms:
*   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
*   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")

Thanks