Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forward syslog maintain the source IP

gballanti
Explorer
‎09-08-2021 02:52 AM

Hi All,

i'm struggling with the syslog configuration to forward events and maintain the original source IP.

By rsyslog daemon i collect the data in a file then i need to forward  after parsing to a third syslog receiver. On my HF i have the following configuration:

inputs.conf

[monitor:///opt/syslog/udp_514/udp_switch.log]
disabled = 0
sourcetype = syslog

 

outputs.conf

[syslog:forward_syslog]
server = 172.18.0.32:514

 

props.conf

[source::/opt/syslog/udp_514/udp_switch.log]
TRANSFORMS-t1 = to_syslog,to_null

 

transforms.conf

[to_syslog]
REGEX = <regex filter>
DEST_KEY = _SYSLOG_ROUTING
FORMAT = forward_syslog

[to_null]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = nullQueue

 

this configuration is working fine, unfortunately the source ip is changed

log in udp_switch.log "Sep 8 11:30:52 10.10.10.5 TEST5,007251000106157"

in third party syslog the ip changes from "10.10.10.5" with the Heavy forwarder one.

Is it possible to maintain the original IP, and how ?

Many thanks

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-08-2021 03:18 AM

Short answer is "no".

Long answer is that if splunks sends data to a third party it is the initiator of the connection (or the source of UDP packets in case of UDP syslog). So the metadata extracted on the destination server from the connection parameters will point back at splunk server. The only possibility to pretend that the packets came from the original source (possible only with UDP) would be to spoof the original source - that's possible with rsyslog using a proper output module, maybe with syslog-ng but definitely not with splunk.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-08-2021 03:18 AM

Short answer is "no".

Long answer is that if splunks sends data to a third party it is the initiator of the connection (or the source of UDP packets in case of UDP syslog). So the metadata extracted on the destination server from the connection parameters will point back at splunk server. The only possibility to pretend that the packets came from the original source (possible only with UDP) would be to spoof the original source - that's possible with rsyslog using a proper output module, maybe with syslog-ng but definitely not with splunk.

0 Karma
Reply
Solved! Jump to solution

gballanti
Explorer
‎09-08-2021 06:03 AM

thanks Rick,

i was suspecting that, but how we say "Hope is last to die".

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...