Getting Data In

How can I obtain and use a UF's clientIP in transforms.conf on a HF?

thilles
Explorer

A customer has a case where they are cloning a subset of UF logs to an external third party using an intermediate HF and it’s syslog output functionality.
The architectural setup is roughly this:

UF   -->  Splunk Cloud
 |
(subset of UFs)
 |
  ---->    Splunk HF   --> Third party (using syslog)

Splunk HF outputs syslog as: [timestamp] [hostname] [event]

The problem is the value of the UF hostname the third party receives; it needs the hostname value to be the UF’s IP.
Splunk Cloud on the other hand needs the UF hostname to be in DNS format (as the host name is configured during first time boot in system/local/inputs.conf)

We thought about modifying inputs.conf such that the UFs had host=localhost, in combination with setting connection_host=(dns|ip) on Splunk Cloud and the HF, respectively. As seen in the documentation below.
We have verified that this would work for the third party, but would break the hostname in Splunk Cloud. Since the UFs have private IPs they cannot be dns-resolved by Splunk Cloud.

Our next idea is to rewrite the host values using transforms/props on the HF.
The problem is that the events being forwarded doesn’t contain the IP value of the UF host (Windows Event logs, can’t modify the raw event), so it’s not trivial to use a regex and write to MetaData::Host.
I know that the HF knows of the UF’s IP, as this can be seen in index=_internal source=*metrics.log sourceIP=*

Do somebody know of some (undocumented) way of tapping into that information and using it to overwrite the MetaData::Host value, such that the HF will output syslog as [timestamp][IP][event]?

From inputs.conf

[splunktcp://[<remote server>]:<port>]
* Receivers use this input stanza.
* This is the same as the [tcp://] stanza, except the remote server is assumed
  to be a Splunk instance, most likely a forwarder.
* <remote server> is optional. If you specify it, the receiver only listen for
  data from <remote server>.
  * Use of <remote server is not recommended. Use the 'acceptFrom' setting,
    which supersedes this setting.

connection_host = [ip|dns|none]
* For splunktcp, the 'host' or 'connection_host' will be used if the remote 
  Splunk instance does not set a host, or if the host is set to
  "<host>::<localhost>".
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system
  sending the data.
* "none" leaves the host as specified in inputs.conf, typically the splunk
  system hostname.
* Default: "ip".
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi thilles,
I suggest a different approach: did you think to create a script to run on UF that writes UF's IP address in a file that is read by the UF and sent to the third party by HF?
In this way you haven't to transform hostname (that could be usefull) and at the same time you have the IP and you haven't DNS problems.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...