We are forwarding some of our logs from Splunk to a third party IBM Qradar environment. The third party is not able to see the actual source IP address of the logs - they only see our heavy forwarder IPs as the source. Is there something we can do on the configs on Splunk to actually include this info as well?
You can set rewrite the metadata per-event based on the actual host info in your log file on your heavy forwarder.
Suppose you have the following raw data:
[22/Apr/2014:00:46:27] sales accepted server:A01R2 SID=107570
[22/Apr/2014:00:48:40] sales rejected server:B13R1 SID=102498
[22/Apr/2014:00:50:02] sales accepted server:A05R1 SID=173560
You can add the following stanzas: props.conf
TRANSFORMS-register = saleshost
SOURCEKEY = raw
REGEX = server:(\w+)
DESTKEY = MetaData:Host
FORMAT = host::$1
Splunk will then check each event in the _raw source. If an event contains “server:”, capture the wordand rewrite the value of the MetaData:Host key
with the captured group.
You can also rewrite other metadata. When MetaData: key is used, its FORMAT value
must be prefixed by: