Security

How to make real IP user showing while using LB in shcluster instead of only 1 IP from LB or AD in Audittrail log?

scr1biddies
Loves-to-Learn Lots

Hi, this is my 1st post, I'm a newbie splunkers.

I have a case from my clients so, the splunk is running with LB following with the SH cluster. I already using LDAP to inject the data for login access account in splunk.  When I checked out the audittrail log in query table, it's showing only 1 spesific clientip or src.
That was different with the 1st time I inject the AD for login access to splunk, or inside the dev server because we only use AIO/standalone splunk in dev. It's showing the real IP of the user.

But now, when I logged in to the splunk web, the audit trail log, will show the spesific 1 IP, I think it's LB or AD IP.  Even I used the native user like "admin", it will show only 1 IP, and it's not my device IP.

How to make the real IP  fromuser showing, while using LB in shcluster instead of only 1 IP from LB or AD in Audittrail log?

Labels (3)
0 Karma

dural_yyz
Motivator

Splunk audit logs will pick the src ip for the log from the incoming packet.  To me this indicates your LB is doing full blow SNAT rather than maintaining the source IP on the 'inside' portion of the connection.  This would be an issue for your network/LB admin team to resolve if possible based on their network design.

This is not something that Splunk administration/configuration can fix.

0 Karma

scr1biddies
Loves-to-Learn Lots

okay, so I need to talk with the LB/network team who fix this thing then.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Probably quite the opposite - noone usually bothers with SNAT when already doing DNAT (unless there are some wacky routings involved). So the LB is probably a full-blown HTTP proxy in which case it makes perfect sense to see the other endpoint of the connection as being the proxy itself.

@scr1biddiesif this is indeed the case, make sure the proxy sends proper X-Forwarded-For: header and set tools.proxy.on=true in web.conf.

scr1biddies
Loves-to-Learn Lots

I found related case in the splunk Ideas https://ideas.splunk.com/ideas/EID-I-1168, it's kinda complicated, since I 'm a new in splunk and the SHC architecture are not simple.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

If your LB is indeed a HTTP proxy, there is  a fat chance that you're already getting the X-Forwarded-For header. So it might be enough to enable the option I mentioned earlier.

0 Karma

scr1biddies
Loves-to-Learn Lots

I just cheked on the  /system/default/web.conf there is the config that u mentioned before are commented. 
It says that i have to set that in local/web.conf if I run my splunk behind the reverse proxy.

Is that the correct location? 
for the save way, do I have to copy that to /local first or I can just simply enable it?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Never edit files in default directories. Especially in system/default.

Splunk merges settings from various files into an effective config according to these rules

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

Long story short - settings specified in local directory will overwrite setting specified in default one.

So you can either add this setting to system/local/web.conf file (or create the file if you don't already have it). Of course you need to specify the proper stanza if you don't have it there. So the minimal file should look like this:

[settings]tools.proxy.on = true

Or even better - create your own app with this setting - create a directory within the apps directory, create a local directory there and put the web.conf  file there

 

0 Karma

scr1biddies
Loves-to-Learn Lots

I'll try this thing 1st

0 Karma
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...