Security

Listeners bound to different IP addresses

Motivator

Is it possible to have splunktcp listeners bound to different IP addresses? I see the SPLUNK_BINDIP option, but that's not what I'm looking for.

While transitioning from our 3.3 servers, and another server using syslogd I'd like to have 2 separate inputs on udp:514. I would use this second listner to segregate all data off into a temporary index that I would later delete. I've had issues with dates being classified incorrectly and I don't want to replicate that issue to our new servers. As data is verified and new splunk forwarders are installed I would move data off this secondary interface.

Tags (3)
1 Solution

Motivator

I don't believe there's a way to bind a specific UDP or TCP input stanza to a particular IP address.

If you're on Linux, you can work around it with iptables. Move each listener to a different, dedicated port number. Then, define iptables rules to redirect traffic to the correct ports as needed.

If you decide to go the iptables route, this may help:
     http://straylink.wordpress.com/2006/08/16/using-iptables-to-redirect-packets/

View solution in original post

Motivator

I don't believe there's a way to bind a specific UDP or TCP input stanza to a particular IP address.

If you're on Linux, you can work around it with iptables. Move each listener to a different, dedicated port number. Then, define iptables rules to redirect traffic to the correct ports as needed.

If you decide to go the iptables route, this may help:
     http://straylink.wordpress.com/2006/08/16/using-iptables-to-redirect-packets/

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!