Hi, I always appreciate your taking the time to answer my question.
We will connect independent systems using the L3 Switch and send the syslog to the cyber security operation center like attached picture. (Network switch will send via syslog function, and Splunk forwarder will be installed on workstation)
Even if the IP address is duplicated in each system, the IP address cannot be changed.
If IP addresses are duplicated between independent systems, is there a problem in transmitting logs?
When you say "the IP address cannot be changed" are you referring to the address on the server or the address sent to the SIEM? The latter is normal in DHCP environments and CSOCs learn to handle it. Sometimes, an intermediate system (like DSP or Cribl) is used to enrich the data with the DNS name belonging to the IP address.
The rest of this answer presumes IP addresses remain constant on the server and also are duplicated.
Splunk won't care about the duplicated IP addresses unless you are using Enterprise Security. If that's the case then ES's asset data enrichment feature will fail to determine which asset belongs to a given IP address since more than one asset has the same address.
If you don't use ES then the CSOC analysts may have the same problem determining which server reported an error.
Some syslog systems will route or modify (removing unwanted fields, for instance) incoming events based on the source IP address. If IP addresses are duplicated among dissimilar source types then data could be routing or modified incorrectly.
The solution, IMO, is not to duplicate IP addresses.
--- If this reply helps you, an upvote would be appreciated.
Since the application that was installed in the workstation cannot be modified, I've wrote that "the IP address cannot be changed".
For example, if there is an application that communicates with a server having address of 192.168.0.10, it is impossible to change the server IP address because the application code cannot be modified.
Splunk Enterprise SIEM will be installed in CSOC, and Heavy Forwarder will be used as the agent for syslog transmission.
Is there a function to transfer syslog by changing the source IP address to distinguish assets?
Or is there another way to differentiate between assets?