Security

Listeners bound to different IP addresses

Motivator

Is it possible to have splunktcp listeners bound to different IP addresses? I see the SPLUNK_BINDIP option, but that's not what I'm looking for.

While transitioning from our 3.3 servers, and another server using syslogd I'd like to have 2 separate inputs on udp:514. I would use this second listner to segregate all data off into a temporary index that I would later delete. I've had issues with dates being classified incorrectly and I don't want to replicate that issue to our new servers. As data is verified and new splunk forwarders are installed I would move data off this secondary interface.

Tags (3)
1 Solution

Motivator

I don't believe there's a way to bind a specific UDP or TCP input stanza to a particular IP address.

If you're on Linux, you can work around it with iptables. Move each listener to a different, dedicated port number. Then, define iptables rules to redirect traffic to the correct ports as needed.

If you decide to go the iptables route, this may help:
     http://straylink.wordpress.com/2006/08/16/using-iptables-to-redirect-packets/

View solution in original post

Motivator

I don't believe there's a way to bind a specific UDP or TCP input stanza to a particular IP address.

If you're on Linux, you can work around it with iptables. Move each listener to a different, dedicated port number. Then, define iptables rules to redirect traffic to the correct ports as needed.

If you decide to go the iptables route, this may help:
     http://straylink.wordpress.com/2006/08/16/using-iptables-to-redirect-packets/

View solution in original post