Splunk IT Service Intelligence

ITSI - Exchange - Dashboard - External Logins Map - wrong extraction of source IP (c_ip)

corti77
Communicator

Hi,

recently we deployed IT Essential Works with latest Exchange Content Pack. we also deployed the three addons for the Exchange  in the exchange nodes (including IIS and OWA logs).


Now we are in the process of validation of the ITSI dashboards, External Logins Map is one of them, and we realized that the extracted source IP (c_ip field) corresponds to our load balancer (XXX.XXX.XXX.XXX) instead of the remote host (IP shown at the end of the event).

below an example of exchange event that reach our splunk infra.

 

 

2021-10-08 12:22:31 XXX.XXX.XXX.XXX POST /Microsoft-Server-ActiveSync/default.eas Cmd=Ping&User=---%5n---&DeviceId=-------&DeviceType=Outlook&CorrelationID=<empty>;&cafeReqId=c586f22d-14cd-4449-be95-fe666b30c92e; 443 -------\----- 192.168.X.X Outlook-iOS-Android/1.0 - 200 0 0 181382 52.98.193.109

 

 

we use the official TA-Exchange-2013-Mailbox, TA-Exchange-ClientAccess and Ta-Windows-Exchange-IIS addons.

I found the definition of c_ip field in the transform.conf and props.conf in  the TA-Windows-Exchange-IIS, but I dont see any specific regex for its correct extraction. 

could someone tell me how to proceed to fix this parsing issue so the dashboards can show correct information?

many thanks

Labels (4)
Tags (1)
0 Karma

corti77
Communicator

I created a extracted field called c_ip2 containing the last IP shown in the event and I changed the query on the map. That approach worked but this solution is not valid for other built-in dashboards that use a macros such as Outlook Web Access dashboard which uses the macro `client-ews-events`.

Also, I would like to dont change much the ITSI internals so I can easily upgrade it whenever needed. 

So, my goal would be to fix the issue completely by keeping only the original c_ip field but with the correct external IP.

any suggestion?

many thanks

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...