Splunk Search

dynamic hostname replacement with real source server IP addsress in log source

oustinov1
New Member

Hi,
we facing an issue with replacement of the hostname with real ip of the source server in the logs
The logs are sent by Universal Forwarder.
here is the example:
Orig: "Jul 12 17:26:41 spluf3.com sudo:spladmin : TTY=pts/1 ; PWD=/etc ; USER=root ; COMMAND=/bin/ls -ls"
Target: "Jul 12 17:26:41 172.17.0.3 sudo:spladmin : TTY=pts/1 ; PWD=/etc ; USER=root ; COMMAND=/bin/ls -ls"

the hostname "spluf3.com" should be replaced with the real IP address (172.17.0.3) of the "spluf3.com".

Lookups is not the best variant - there are too much dynamical systems served by DHCP and lot of systems with IP addresses only (DNS lookups gives nothing).
Flow is as follow: UF -> HF -> Indexer
Transformation will be done at HF.

Here are our configs:

inputs.conf ->
[default]
host = spluf3.com

[monitor:///var/log/secure]
disabled=0
sourcetype=syslog

props.conf ->
[source::/var/log/secure]
TRANSFORMS-siem = send_to_qradar

transforms.conf ->
[send_to_qradar]

this will find IP address of the server/host

SOURCE_KEY=_raw
REGEX = server:(\w+)

this should find the hostname in the message source

REGEX = \S+\s\S+\s\S+\s(\S+)
DEST_KEY = _raw
FORMAT=$2=$1

Will it work?
Or do you have any experience with how to replace in the message source hostname $2 with IP address $1?

Thank you in advance for promt answers!
br,
Oleg

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...