Hi, this is my 1st post, I'm a newbie splunkers.
I have a case from my clients so, the splunk is running with LB following with the SH cluster. I already using LDAP to inject the data for login access account in splunk. When I checked out the audittrail log in query table, it's showing only 1 spesific clientip or src.
That was different with the 1st time I inject the AD for login access to splunk, or inside the dev server because we only use AIO/standalone splunk in dev. It's showing the real IP of the user.
But now, when I logged in to the splunk web, the audit trail log, will show the spesific 1 IP, I think it's LB or AD IP. Even I used the native user like "admin", it will show only 1 IP, and it's not my device IP.
How to make the real IP fromuser showing, while using LB in shcluster instead of only 1 IP from LB or AD in Audittrail log?
Splunk audit logs will pick the src ip for the log from the incoming packet. To me this indicates your LB is doing full blow SNAT rather than maintaining the source IP on the 'inside' portion of the connection. This would be an issue for your network/LB admin team to resolve if possible based on their network design.
This is not something that Splunk administration/configuration can fix.
okay, so I need to talk with the LB/network team who fix this thing then.
Probably quite the opposite - noone usually bothers with SNAT when already doing DNAT (unless there are some wacky routings involved). So the LB is probably a full-blown HTTP proxy in which case it makes perfect sense to see the other endpoint of the connection as being the proxy itself.
@scr1biddiesif this is indeed the case, make sure the proxy sends proper X-Forwarded-For: header and set tools.proxy.on=true in web.conf.
I found related case in the splunk Ideas https://ideas.splunk.com/ideas/EID-I-1168, it's kinda complicated, since I 'm a new in splunk and the SHC architecture are not simple.
If your LB is indeed a HTTP proxy, there is a fat chance that you're already getting the X-Forwarded-For header. So it might be enough to enable the option I mentioned earlier.
I just cheked on the /system/default/web.conf there is the config that u mentioned before are commented.
It says that i have to set that in local/web.conf if I run my splunk behind the reverse proxy.
Is that the correct location?
for the save way, do I have to copy that to /local first or I can just simply enable it?
Never edit files in default directories. Especially in system/default.
Splunk merges settings from various files into an effective config according to these rules
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles
Long story short - settings specified in local directory will overwrite setting specified in default one.
So you can either add this setting to system/local/web.conf file (or create the file if you don't already have it). Of course you need to specify the proper stanza if you don't have it there. So the minimal file should look like this:
[settings]tools.proxy.on = true
Or even better - create your own app with this setting - create a directory within the apps directory, create a local directory there and put the web.conf file there
I'll try this thing 1st