Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Is there a way to maintain the source IP of the UDP syslog packet when forwarding to a 3rd party syslog listener?

dskillman
Splunk Employee
Splunk Employee
‎04-17-2010 06:13 AM

If a 3rd party system looks at the UDP packet to determine the source "Host", is there a way for Splunk to spoof that IP when syslog forwarding is set up?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-17-2010 07:16 AM

There is not. The IP address is extracted from the IP packet header, and Splunk does not interfere or generate at that protocol layer. This is why Splunk (like other syslog agents) can prepend the data and the IP address before forwarding. The setting no_appending_timestamp = false should be set on the Splunk UDP input to make Splunk do this.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎06-10-2010 05:31 PM

If you must have spoofing, just have syslogNG receive the data instead of Splunk. SyslogNG can break IP via source spoofing, as well as write to files that Splunk can index.

Reply
Solved! Jump to solution

emotz
Splunk Employee
Splunk Employee
‎06-26-2012 07:55 PM

We have customers using rsyslog as well to write incoming syslog traffic to directories by host and splunking it just fine. They have written a lot of it to different directories so that they could have multiple splunk forwarders consuming the data. They broke out the busiest firewall traffic specifically so that it could handle the amount of data being written. They are collecting over 1.2TB per day on rsyslog.

0 Karma
Reply
Solved! Jump to solution

Genti
Splunk Employee
Splunk Employee
‎09-21-2010 12:20 AM

and not rsyslogd?

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-17-2010 07:16 AM

There is not. The IP address is extracted from the IP packet header, and Splunk does not interfere or generate at that protocol layer. This is why Splunk (like other syslog agents) can prepend the data and the IP address before forwarding. The setting no_appending_timestamp = false should be set on the Splunk UDP input to make Splunk do this.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...