cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
leebsr
Explorer
Member since: ‎06-18-2020
‎06-24-2020
Community Statistics
Posts 4
Solutions 1
Karma Given 2
Karma Received 0
Member Since ‎06-18-2020
Activity Feed
View All

Lost packages when using tcp syslog and packages n...

by in Getting Data In
‎06-24-2020 04:33 AM
‎06-24-2020 04:33 AM
When using syslog through tcp (instead of udp) from imperva, many packages are lost since they do not arrive in order. So at destination everything is screwed up since they can not be reassembled ... View more
Labels

Re: Universal forwarder overwrites log source IP, ...

by in Getting Data In
‎06-24-2020 04:29 AM
‎06-24-2020 04:29 AM
Thanx ! I checked the inputs.conf and it is already solved there since we put there that the log source should be the 7th parameter of the folder holding its logs which is the IP of the actual log source. Solved then ! ... View more

Re: Universal forwarder overwrites log source IP, ...

by in Getting Data In
‎06-18-2020 10:07 AM
‎06-18-2020 10:07 AM
Hi richgalloway 1st of all many thanks for your quick answer. Correct in this environment I belive that they have configured the UF as well as a syslog server. I need to confirm this though. Could you please give further details on the correct architeture for the UF and the log source ---> splunk flow ? I believe that what you mean in your second part of the answer is that the uf should be pointing and sending logs to the inderxers and later on when querying the sh, it will send the query to the indexers which will perform the dirty job, right ? and then indexers will send their output to the sh correct ? is that the right arch ? ... View more

Universal forwarder overwrites log source IP, inse...

by in Getting Data In
‎06-18-2020 09:23 AM
‎06-18-2020 09:23 AM
Hi guys, I have a gd issue here. My universal forwarder sends logs to a splunk search head, and the search head sees the logs with the IP of the universal forwarder as if it were the log source, when it is actually not, it is just forwarding logs from the sources. How can I get rid of this so I can see at the searches the real log source IPs ?? Is there a reason why this IP overwrite could be useful ?  I dont see it and for now what I need is to have real IPs on the search heads. Craving for a solution ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-24-2020 08:26 AM
Karma given to
View All