Getting Data In

Is there a way to maintain the source IP of the UDP syslog packet when forwarding to a 3rd party syslog listener?

dskillman
Splunk Employee
Splunk Employee

If a 3rd party system looks at the UDP packet to determine the source "Host", is there a way for Splunk to spoof that IP when syslog forwarding is set up?

Tags (3)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

There is not. The IP address is extracted from the IP packet header, and Splunk does not interfere or generate at that protocol layer. This is why Splunk (like other syslog agents) can prepend the data and the IP address before forwarding. The setting no_appending_timestamp = false should be set on the Splunk UDP input to make Splunk do this.

View solution in original post

0 Karma

araitz
Splunk Employee
Splunk Employee

If you must have spoofing, just have syslogNG receive the data instead of Splunk. SyslogNG can break IP via source spoofing, as well as write to files that Splunk can index.

emotz
Splunk Employee
Splunk Employee

We have customers using rsyslog as well to write incoming syslog traffic to directories by host and splunking it just fine. They have written a lot of it to different directories so that they could have multiple splunk forwarders consuming the data. They broke out the busiest firewall traffic specifically so that it could handle the amount of data being written. They are collecting over 1.2TB per day on rsyslog.

0 Karma

Genti
Splunk Employee
Splunk Employee

and not rsyslogd?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

There is not. The IP address is extracted from the IP packet header, and Splunk does not interfere or generate at that protocol layer. This is why Splunk (like other syslog agents) can prepend the data and the IP address before forwarding. The setting no_appending_timestamp = false should be set on the Splunk UDP input to make Splunk do this.

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...