Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Universal forwarder overwrites log source IP, inserting its own UF ip when forwarding logs to search head

leebsr
Explorer
‎06-18-2020 09:23 AM

Hi guys,

I have a gd issue here. My universal forwarder sends logs to a splunk search head, and the search head sees the logs with the IP of the universal forwarder as if it were the log source, when it is actually not, it is just forwarding logs from the sources.

How can I get rid of this so I can see at the searches the real log source IPs ??

Is there a reason why this IP overwrite could be useful ?  I dont see it and for now what I need is to have real IPs on the search heads.

Craving for a solution

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

leebsr
Explorer
‎06-24-2020 04:29 AM

Thanx !

I checked the inputs.conf and it is already solved there since we put there that the log source should be the 7th parameter of the folder holding its logs which is the IP of the actual log source.

Solved then !

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 09:49 AM
Please tell us more about your Splunk environment? How are the data sources getting to the UF? Are you using the UF as a syslog server? If so, that's not a good practice.
Why is the UF sending data to the SH instead of the indexer(s)?
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

leebsr
Explorer
‎06-18-2020 10:07 AM

Hi richgalloway 1st of all many thanks for your quick answer.

Correct in this environment I belive that they have configured the UF as well as a syslog server. I need to confirm this though.

Could you please give further details on the correct architeture for the UF and the log source ---> splunk flow ?

I believe that what you mean in your second part of the answer is that the uf should be pointing and sending logs to the inderxers and later on when querying the sh, it will send the query to the indexers which will perform the dirty job, right ? and then indexers will send their output to the sh correct ? is that the right arch ?

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 10:22 AM

UF as a syslog server has a number of issues, but your configuration of a UF installed on a dedicated syslog server is considered Best Practice.  Thanks for clarifying that.

Can you share the inputs.conf settings on the UF for one of the problem data sources?

Yes, forwarders (and search heads) should be forwarding data to indexers.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

leebsr
Explorer
‎06-24-2020 04:29 AM

Thanx !

I checked the inputs.conf and it is already solved there since we put there that the log source should be the 7th parameter of the folder holding its logs which is the IP of the actual log source.

Solved then !

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...