Getting Data In

Is there a way to maintain the source IP of the UDP syslog packet when forwarding to a 3rd party syslog listener?

Splunk Employee
Splunk Employee

If a 3rd party system looks at the UDP packet to determine the source "Host", is there a way for Splunk to spoof that IP when syslog forwarding is set up?

Tags (3)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

There is not. The IP address is extracted from the IP packet header, and Splunk does not interfere or generate at that protocol layer. This is why Splunk (like other syslog agents) can prepend the data and the IP address before forwarding. The setting no_appending_timestamp = false should be set on the Splunk UDP input to make Splunk do this.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

If you must have spoofing, just have syslogNG receive the data instead of Splunk. SyslogNG can break IP via source spoofing, as well as write to files that Splunk can index.

Splunk Employee
Splunk Employee

We have customers using rsyslog as well to write incoming syslog traffic to directories by host and splunking it just fine. They have written a lot of it to different directories so that they could have multiple splunk forwarders consuming the data. They broke out the busiest firewall traffic specifically so that it could handle the amount of data being written. They are collecting over 1.2TB per day on rsyslog.

0 Karma

Splunk Employee
Splunk Employee

and not rsyslogd?

0 Karma

Splunk Employee
Splunk Employee

There is not. The IP address is extracted from the IP packet header, and Splunk does not interfere or generate at that protocol layer. This is why Splunk (like other syslog agents) can prepend the data and the IP address before forwarding. The setting no_appending_timestamp = false should be set on the Splunk UDP input to make Splunk do this.

View solution in original post

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!