Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forward syslog maintain the source IP

gballanti
Explorer
‎09-08-2021 02:52 AM

Hi All,

i'm struggling with the syslog configuration to forward events and maintain the original source IP.

By rsyslog daemon i collect the data in a file then i need to forward  after parsing to a third syslog receiver. On my HF i have the following configuration:

inputs.conf

[monitor:///opt/syslog/udp_514/udp_switch.log]
disabled = 0
sourcetype = syslog

 

outputs.conf

[syslog:forward_syslog]
server = 172.18.0.32:514

 

props.conf

[source::/opt/syslog/udp_514/udp_switch.log]
TRANSFORMS-t1 = to_syslog,to_null

 

transforms.conf

[to_syslog]
REGEX = <regex filter>
DEST_KEY = _SYSLOG_ROUTING
FORMAT = forward_syslog

[to_null]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = nullQueue

 

this configuration is working fine, unfortunately the source ip is changed

log in udp_switch.log "Sep 8 11:30:52 10.10.10.5 TEST5,007251000106157"

in third party syslog the ip changes from "10.10.10.5" with the Heavy forwarder one.

Is it possible to maintain the original IP, and how ?

Many thanks

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-08-2021 03:18 AM

Short answer is "no".

Long answer is that if splunks sends data to a third party it is the initiator of the connection (or the source of UDP packets in case of UDP syslog). So the metadata extracted on the destination server from the connection parameters will point back at splunk server. The only possibility to pretend that the packets came from the original source (possible only with UDP) would be to spoof the original source - that's possible with rsyslog using a proper output module, maybe with syslog-ng but definitely not with splunk.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-08-2021 03:18 AM

Short answer is "no".

Long answer is that if splunks sends data to a third party it is the initiator of the connection (or the source of UDP packets in case of UDP syslog). So the metadata extracted on the destination server from the connection parameters will point back at splunk server. The only possibility to pretend that the packets came from the original source (possible only with UDP) would be to spoof the original source - that's possible with rsyslog using a proper output module, maybe with syslog-ng but definitely not with splunk.

0 Karma
Reply
Solved! Jump to solution

gballanti
Explorer
‎09-08-2021 06:03 AM

thanks Rick,

i was suspecting that, but how we say "Hope is last to die".

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...
Top