Getting Data In

Rename the "host" field from stormshield sourcetype events

kvnpichon
Path Finder

Hello,

I will try to describe the situation first; my problem and then ask you my question :

This my architecture :

  • 6 stormshield firewalls (one per remote site).
  • 6 rsyslog/forwarders (one per remote site).
  • The rsyslog/forwarders gather logs from /var/log/rsyslog/stormshield/%FROMHOST%/stormshield.log
  • The rsyslog/forwarders send logs to indexers with sourcetype = stormshield and source=/var/log/rsyslog/stormshield/%FROMHOST%/stormshield.log
  • The "host" field is the "%FROMHOST%" folder (defined by the hostname of the firewall)

My problem is :

  • The "host" field is not normalized because sometime the hostname is an IP address or the DNS name.
  • I can't change hostname of my firewall because lot of things related to their hostname.
  • I need to use the "host" field because it it used in lot of secruity dashboards.

My question is : can I normalized the "host" field by renaming the firewalls somewhere in Splunk ? and how can I do it ?

  • I want to have the "host" coresponding to my new names.
  • Exemple 1 : For the firewall XX.XX.XX.1 (old "host" field) the "host" field must be ABC-001
  • Exemple 2 : For XX.XX.XX.19, the "host" field must be ABC-019 instead of XX.XX.XX.19, etc.

Thanks Splunkers,

Regards.

 

Labels (2)
0 Karma
1 Solution

kvnpichon
Path Finder

For the moment I found a solution :

I use a lookup that map the "fw" field (firewall serial number) with the "dvc" field (cluster hostname).

So I declared the lookup/fields in the props.conf and the transforms.conf.

Like that, if 2 firewall belonging to the same cluster appear in the logs it has the same "dvc" field.

Thanks for reply.

View solution in original post

0 Karma

kvnpichon
Path Finder

For the moment I found a solution :

I use a lookup that map the "fw" field (firewall serial number) with the "dvc" field (cluster hostname).

So I declared the lookup/fields in the props.conf and the transforms.conf.

Like that, if 2 firewall belonging to the same cluster appear in the logs it has the same "dvc" field.

Thanks for reply.

0 Karma
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...