https://community.splunk.com/t5/Getting-Data-In/Missing-Source-IP-address-when-logs-are-forwarded-to-third-party/m-p/244813#M47356 <P>Hi, </P> <P>We are forwarding some of our logs from Splunk to a third party IBM Qradar environment. The third party is not able to see the actual source IP address of the logs - they only see our heavy forwarder IPs as the source. Is there something we can do on the configs on Splunk to actually include this info as well?</P> <P>Here are my configs </P> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[pan*] TRANSFORMS-routing=syslogRouting # [Win*] TRANSFORMS-routing=syslogRouting2 </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[syslogRouting] REGEX=. DEST_KEY=_SYSLOG_ROUTING FORMAT=syslogGroup [syslogRouting2] REGEX=. DEST_KEY=_SYSLOG_ROUTING FORMAT=syslogGroup2 </CODE></PRE> <P><STRONG>outputs.conf</STRONG></P> <PRE><CODE>[syslog:syslogGroup] server = 1.2.3.4:514 sendCookedData = false [syslog:syslogGroup2] server = 5.6.7.8:514 sendCookedData = false </CODE></PRE> <P>Thanks in advance !</P> Wed, 12 Oct 2016 20:45:54 GMT dmenon84 2016-10-12T20:45:54Z https://community.splunk.com/t5/Getting-Data-In/Missing-Source-IP-address-when-logs-are-forwarded-to-third-party/m-p/244813#M47356 <P>Hi, </P> <P>We are forwarding some of our logs from Splunk to a third party IBM Qradar environment. The third party is not able to see the actual source IP address of the logs - they only see our heavy forwarder IPs as the source. Is there something we can do on the configs on Splunk to actually include this info as well?</P> <P>Here are my configs </P> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[pan*] TRANSFORMS-routing=syslogRouting # [Win*] TRANSFORMS-routing=syslogRouting2 </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[syslogRouting] REGEX=. DEST_KEY=_SYSLOG_ROUTING FORMAT=syslogGroup [syslogRouting2] REGEX=. DEST_KEY=_SYSLOG_ROUTING FORMAT=syslogGroup2 </CODE></PRE> <P><STRONG>outputs.conf</STRONG></P> <PRE><CODE>[syslog:syslogGroup] server = 1.2.3.4:514 sendCookedData = false [syslog:syslogGroup2] server = 5.6.7.8:514 sendCookedData = false </CODE></PRE> <P>Thanks in advance !</P> Wed, 12 Oct 2016 20:45:54 GMT https://community.splunk.com/t5/Getting-Data-In/Missing-Source-IP-address-when-logs-are-forwarded-to-third-party/m-p/244813#M47356 dmenon84 2016-10-12T20:45:54Z https://community.splunk.com/t5/Getting-Data-In/Missing-Source-IP-address-when-logs-are-forwarded-to-third-party/m-p/244814#M47357 <P>Hi, dmenon84, </P> <P>You can set rewrite the metadata per-event based on the actual host info in your log file on your heavy forwarder. <BR /> Suppose you have the following raw data: <BR /> [22/Apr/2014:00:46:27] sales accepted server:A01R2 SID=107570<BR /> [22/Apr/2014:00:48:40] sales rejected server:B13R1 SID=102498<BR /> [22/Apr/2014:00:50:02] sales accepted server:A05R1 SID=173560</P> <P>You can add the following stanzas: <BR /> <STRONG>props.conf</STRONG><BR /> [sales_entries]<BR /> TRANSFORMS-register = sales_host</P> <P><STRONG>transforms.conf</STRONG><BR /> [sales_host]<BR /> SOURCE_KEY = _raw<BR /> REGEX = server:(\w+)<BR /> DEST_KEY = MetaData:Host<BR /> FORMAT = host::$1</P> <P>Splunk will then check each event in the _raw source. If an event contains “server:”, capture the wordand rewrite the value of the MetaData:Host key<BR /> with the captured group. </P> <P>You can also rewrite other metadata. When MetaData: key is used, its FORMAT value<BR /> must be prefixed by:<BR /> host::<BR /> source::<BR /> sourcetype::</P> <P>Hope this helps. Thanks! <BR /> Hunter</P> Tue, 29 Sep 2020 11:22:18 GMT https://community.splunk.com/t5/Getting-Data-In/Missing-Source-IP-address-when-logs-are-forwarded-to-third-party/m-p/244814#M47357 hunters_splunk 2020-09-29T11:22:18Z