Getting Data In

Rename the "host" field from stormshield sourcetype events

kvnpichon
Path Finder

Hello,

I will try to describe the situation first; my problem and then ask you my question :

This my architecture :

  • 6 stormshield firewalls (one per remote site).
  • 6 rsyslog/forwarders (one per remote site).
  • The rsyslog/forwarders gather logs from /var/log/rsyslog/stormshield/%FROMHOST%/stormshield.log
  • The rsyslog/forwarders send logs to indexers with sourcetype = stormshield and source=/var/log/rsyslog/stormshield/%FROMHOST%/stormshield.log
  • The "host" field is the "%FROMHOST%" folder (defined by the hostname of the firewall)

My problem is :

  • The "host" field is not normalized because sometime the hostname is an IP address or the DNS name.
  • I can't change hostname of my firewall because lot of things related to their hostname.
  • I need to use the "host" field because it it used in lot of secruity dashboards.

My question is : can I normalized the "host" field by renaming the firewalls somewhere in Splunk ? and how can I do it ?

  • I want to have the "host" coresponding to my new names.
  • Exemple 1 : For the firewall XX.XX.XX.1 (old "host" field) the "host" field must be ABC-001
  • Exemple 2 : For XX.XX.XX.19, the "host" field must be ABC-019 instead of XX.XX.XX.19, etc.

Thanks Splunkers,

Regards.

 

Labels (2)
0 Karma
1 Solution

kvnpichon
Path Finder

For the moment I found a solution :

I use a lookup that map the "fw" field (firewall serial number) with the "dvc" field (cluster hostname).

So I declared the lookup/fields in the props.conf and the transforms.conf.

Like that, if 2 firewall belonging to the same cluster appear in the logs it has the same "dvc" field.

Thanks for reply.

View solution in original post

0 Karma

kvnpichon
Path Finder

For the moment I found a solution :

I use a lookup that map the "fw" field (firewall serial number) with the "dvc" field (cluster hostname).

So I declared the lookup/fields in the props.conf and the transforms.conf.

Like that, if 2 firewall belonging to the same cluster appear in the logs it has the same "dvc" field.

Thanks for reply.

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...