Hi,
we facing an issue with replacement of the hostname with real ip of the source server in the logs
The logs are sent by Universal Forwarder.
here is the example:
Orig: "Jul 12 17:26:41 spluf3.com sudo:spladmin : TTY=pts/1 ; PWD=/etc ; USER=root ; COMMAND=/bin/ls -ls"
Target: "Jul 12 17:26:41 172.17.0.3 sudo:spladmin : TTY=pts/1 ; PWD=/etc ; USER=root ; COMMAND=/bin/ls -ls"
the hostname "spluf3.com" should be replaced with the real IP address (172.17.0.3) of the "spluf3.com".
Lookups is not the best variant - there are too much dynamical systems served by DHCP and lot of systems with IP addresses only (DNS lookups gives nothing).
Flow is as follow: UF -> HF -> Indexer
Transformation will be done at HF.
Here are our configs:
inputs.conf ->
[default]
host = spluf3.com
[monitor:///var/log/secure]
disabled=0
sourcetype=syslog
props.conf ->
[source::/var/log/secure]
TRANSFORMS-siem = send_to_qradar
transforms.conf ->
[send_to_qradar]
SOURCE_KEY=_raw
REGEX = server:(\w+)
REGEX = \S+\s\S+\s\S+\s(\S+)
DEST_KEY = _raw
FORMAT=$2=$1
Will it work?
Or do you have any experience with how to replace in the message source hostname $2 with IP address $1?
Thank you in advance for promt answers!
br,
Oleg