Getting Data In

Is there a way to maintain the source IP of the UDP syslog packet when forwarding to a 3rd party syslog listener?

dskillman
Splunk Employee
Splunk Employee

If a 3rd party system looks at the UDP packet to determine the source "Host", is there a way for Splunk to spoof that IP when syslog forwarding is set up?

Tags (3)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

There is not. The IP address is extracted from the IP packet header, and Splunk does not interfere or generate at that protocol layer. This is why Splunk (like other syslog agents) can prepend the data and the IP address before forwarding. The setting no_appending_timestamp = false should be set on the Splunk UDP input to make Splunk do this.

View solution in original post

0 Karma

araitz
Splunk Employee
Splunk Employee

If you must have spoofing, just have syslogNG receive the data instead of Splunk. SyslogNG can break IP via source spoofing, as well as write to files that Splunk can index.

emotz
Splunk Employee
Splunk Employee

We have customers using rsyslog as well to write incoming syslog traffic to directories by host and splunking it just fine. They have written a lot of it to different directories so that they could have multiple splunk forwarders consuming the data. They broke out the busiest firewall traffic specifically so that it could handle the amount of data being written. They are collecting over 1.2TB per day on rsyslog.

0 Karma

Genti
Splunk Employee
Splunk Employee

and not rsyslogd?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

There is not. The IP address is extracted from the IP packet header, and Splunk does not interfere or generate at that protocol layer. This is why Splunk (like other syslog agents) can prepend the data and the IP address before forwarding. The setting no_appending_timestamp = false should be set on the Splunk UDP input to make Splunk do this.

0 Karma
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...