Getting Data In
Highlighted

Is there a way to maintain the source IP of the UDP syslog packet when forwarding to a 3rd party syslog listener?

Splunk Employee
Splunk Employee

If a 3rd party system looks at the UDP packet to determine the source "Host", is there a way for Splunk to spoof that IP when syslog forwarding is set up?

Tags (3)
0 Karma
Highlighted

Re: Is there a way to maintain the source IP of the UDP syslog packet when forwarding to a 3rd party syslog listener?

Splunk Employee
Splunk Employee

There is not. The IP address is extracted from the IP packet header, and Splunk does not interfere or generate at that protocol layer. This is why Splunk (like other syslog agents) can prepend the data and the IP address before forwarding. The setting no_appending_timestamp = false should be set on the Splunk UDP input to make Splunk do this.

View solution in original post

0 Karma
Highlighted

Re: Is there a way to maintain the source IP of the UDP syslog packet when forwarding to a 3rd party syslog listener?

Splunk Employee
Splunk Employee

If you must have spoofing, just have syslogNG receive the data instead of Splunk. SyslogNG can break IP via source spoofing, as well as write to files that Splunk can index.

Highlighted

Re: Is there a way to maintain the source IP of the UDP syslog packet when forwarding to a 3rd party syslog listener?

Splunk Employee
Splunk Employee

and not rsyslogd?

0 Karma
Highlighted

Re: Is there a way to maintain the source IP of the UDP syslog packet when forwarding to a 3rd party syslog listener?

Splunk Employee
Splunk Employee

We have customers using rsyslog as well to write incoming syslog traffic to directories by host and splunking it just fine. They have written a lot of it to different directories so that they could have multiple splunk forwarders consuming the data. They broke out the busiest firewall traffic specifically so that it could handle the amount of data being written. They are collecting over 1.2TB per day on rsyslog.

0 Karma