Re: Destination/Server IP in a log

jurij_hatala · ‎07-12-2016

Would it be possible to have a destination / server IP field in a log?
How it's could be configured?

PavelP · ‎07-12-2016

Hello Jurij,
add to the log dest_ip=IP.toString(URL.dstIP)

Beware that this property triggers a DNS lookup.

Best regards
Pavel

jaxjohnny2000 · ‎11-16-2018

Thank you. We'll try that

PavelP · ‎11-15-2018

Hi

You need to enable dest ip rule in the mwgaccess3.log configuration. The rule is already there, just enable it.
Go policy > log handler > mwgaccess3.log

jaxjohnny2000 · ‎11-15-2018

there is a field called "dest_ip", but it does not bring back those values:

value count %
1 116 16.089%
1132 4 0.555%
1125 3 0.416%
1188 3 0.416%
1438 3 0.416%
517 3 0.416%
6647 3 0.416%
6653 3 0.416%
1008 2 0.277%
1042 2 0.277%

jaxjohnny2000 · ‎11-15-2018

the props.conf has this:
FIELDALIAS-dest_ip = dst AS dest_ip
REPORT-dst = mwg_dst

Does the Destination IP even come over from McAfee Web Gateway?

the src_ip field works fine.

When you say add to the log, I need to ask the McAfee admins to add this?

Destination/Server IP in a log

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation