Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Universal forwarder overwrites log source IP, inserting its own UF ip when forwarding logs to search head

leebsr
Explorer
‎06-18-2020 09:23 AM

Hi guys,

I have a gd issue here. My universal forwarder sends logs to a splunk search head, and the search head sees the logs with the IP of the universal forwarder as if it were the log source, when it is actually not, it is just forwarding logs from the sources.

How can I get rid of this so I can see at the searches the real log source IPs ??

Is there a reason why this IP overwrite could be useful ?  I dont see it and for now what I need is to have real IPs on the search heads.

Craving for a solution

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

leebsr
Explorer
‎06-24-2020 04:29 AM

Thanx !

I checked the inputs.conf and it is already solved there since we put there that the log source should be the 7th parameter of the folder holding its logs which is the IP of the actual log source.

Solved then !

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 09:49 AM
Please tell us more about your Splunk environment? How are the data sources getting to the UF? Are you using the UF as a syslog server? If so, that's not a good practice.
Why is the UF sending data to the SH instead of the indexer(s)?
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

leebsr
Explorer
‎06-18-2020 10:07 AM

Hi richgalloway 1st of all many thanks for your quick answer.

Correct in this environment I belive that they have configured the UF as well as a syslog server. I need to confirm this though.

Could you please give further details on the correct architeture for the UF and the log source ---> splunk flow ?

I believe that what you mean in your second part of the answer is that the uf should be pointing and sending logs to the inderxers and later on when querying the sh, it will send the query to the indexers which will perform the dirty job, right ? and then indexers will send their output to the sh correct ? is that the right arch ?

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 10:22 AM

UF as a syslog server has a number of issues, but your configuration of a UF installed on a dedicated syslog server is considered Best Practice.  Thanks for clarifying that.

Can you share the inputs.conf settings on the UF for one of the problem data sources?

Yes, forwarders (and search heads) should be forwarding data to indexers.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

leebsr
Explorer
‎06-24-2020 04:29 AM

Thanx !

I checked the inputs.conf and it is already solved there since we put there that the log source should be the 7th parameter of the folder holding its logs which is the IP of the actual log source.

Solved then !

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...