Getting Data In

Rename the "host" field from stormshield sourcetype events

kvnpichon
Path Finder

Hello,

I will try to describe the situation first; my problem and then ask you my question :

This my architecture :

  • 6 stormshield firewalls (one per remote site).
  • 6 rsyslog/forwarders (one per remote site).
  • The rsyslog/forwarders gather logs from /var/log/rsyslog/stormshield/%FROMHOST%/stormshield.log
  • The rsyslog/forwarders send logs to indexers with sourcetype = stormshield and source=/var/log/rsyslog/stormshield/%FROMHOST%/stormshield.log
  • The "host" field is the "%FROMHOST%" folder (defined by the hostname of the firewall)

My problem is :

  • The "host" field is not normalized because sometime the hostname is an IP address or the DNS name.
  • I can't change hostname of my firewall because lot of things related to their hostname.
  • I need to use the "host" field because it it used in lot of secruity dashboards.

My question is : can I normalized the "host" field by renaming the firewalls somewhere in Splunk ? and how can I do it ?

  • I want to have the "host" coresponding to my new names.
  • Exemple 1 : For the firewall XX.XX.XX.1 (old "host" field) the "host" field must be ABC-001
  • Exemple 2 : For XX.XX.XX.19, the "host" field must be ABC-019 instead of XX.XX.XX.19, etc.

Thanks Splunkers,

Regards.

 

Labels (2)
0 Karma
1 Solution

kvnpichon
Path Finder

For the moment I found a solution :

I use a lookup that map the "fw" field (firewall serial number) with the "dvc" field (cluster hostname).

So I declared the lookup/fields in the props.conf and the transforms.conf.

Like that, if 2 firewall belonging to the same cluster appear in the logs it has the same "dvc" field.

Thanks for reply.

View solution in original post

0 Karma

kvnpichon
Path Finder

For the moment I found a solution :

I use a lookup that map the "fw" field (firewall serial number) with the "dvc" field (cluster hostname).

So I declared the lookup/fields in the props.conf and the transforms.conf.

Like that, if 2 firewall belonging to the same cluster appear in the logs it has the same "dvc" field.

Thanks for reply.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...