https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-overwrites-log-source-IP-inserting-its-own/m-p/505939#M86183 <P>Thanx !</P><P>I checked the inputs.conf and it is already solved there since we put there that the log source should be the 7th parameter of the folder holding its logs which is the IP of the actual log source.</P><P>Solved then !</P> Wed, 24 Jun 2020 11:29:57 GMT leebsr 2020-06-24T11:29:57Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-overwrites-log-source-IP-inserting-its-own/m-p/505029#M86036 <P>Hi guys,</P><P>I have a gd issue here. My universal forwarder sends logs to a splunk search head, and the search head sees the logs with the IP of the universal forwarder as if it were the log source, when it is actually not, it is just forwarding logs from the sources.</P><P>How can I get rid of this so I can see at the searches the real log source IPs ??</P><P>Is there a reason why this IP overwrite could be useful ?&nbsp; I dont see it and for now what I need is to have real IPs on the search heads.</P><P>Craving for a solution</P> Thu, 18 Jun 2020 16:23:59 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-overwrites-log-source-IP-inserting-its-own/m-p/505029#M86036 leebsr 2020-06-18T16:23:59Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-overwrites-log-source-IP-inserting-its-own/m-p/505031#M86037 Please tell us more about your Splunk environment? How are the data sources getting to the UF? Are you using the UF as a syslog server? If so, that's not a good practice.<BR />Why is the UF sending data to the SH instead of the indexer(s)? Thu, 18 Jun 2020 16:49:05 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-overwrites-log-source-IP-inserting-its-own/m-p/505031#M86037 richgalloway 2020-06-18T16:49:05Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-overwrites-log-source-IP-inserting-its-own/m-p/505036#M86038 <P>Hi richgalloway 1st of all many thanks for your quick answer.</P><P>Correct in this environment I belive that they have configured the UF as well as a syslog server. I need to confirm this though.</P><P>Could you please give further details on the correct architeture for the UF and the log source ---&gt; splunk flow ?</P><P>I believe that what you mean in your second part of the answer is that the uf should be pointing and sending logs to the inderxers and later on when querying the sh, it will send the query to the indexers which will perform the dirty job, right ? and then indexers will send their output to the sh correct ? is that the right arch ?</P> Thu, 18 Jun 2020 17:07:03 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-overwrites-log-source-IP-inserting-its-own/m-p/505036#M86038 leebsr 2020-06-18T17:07:03Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-overwrites-log-source-IP-inserting-its-own/m-p/505042#M86040 <P>UF as a syslog server has a number of issues, but your configuration of a UF installed on a dedicated syslog server is considered Best Practice.&nbsp; Thanks for clarifying that.</P><P>Can you share the inputs.conf settings on the UF for one of the problem data sources?</P><P>Yes, forwarders (and search heads) should be forwarding data to indexers.</P> Thu, 18 Jun 2020 17:22:47 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-overwrites-log-source-IP-inserting-its-own/m-p/505042#M86040 richgalloway 2020-06-18T17:22:47Z https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-overwrites-log-source-IP-inserting-its-own/m-p/505939#M86183 <P>Thanx !</P><P>I checked the inputs.conf and it is already solved there since we put there that the log source should be the 7th parameter of the folder holding its logs which is the IP of the actual log source.</P><P>Solved then !</P> Wed, 24 Jun 2020 11:29:57 GMT https://community.splunk.com/t5/Getting-Data-In/Universal-forwarder-overwrites-log-source-IP-inserting-its-own/m-p/505939#M86183 leebsr 2020-06-24T11:29:57Z