Splunk IT Service Intelligence

ITSI - Exchange - Dashboard - External Logins Map - wrong extraction of source IP (c_ip)

corti77
Communicator

Hi,

recently we deployed IT Essential Works with latest Exchange Content Pack. we also deployed the three addons for the Exchange  in the exchange nodes (including IIS and OWA logs).


Now we are in the process of validation of the ITSI dashboards, External Logins Map is one of them, and we realized that the extracted source IP (c_ip field) corresponds to our load balancer (XXX.XXX.XXX.XXX) instead of the remote host (IP shown at the end of the event).

below an example of exchange event that reach our splunk infra.

 

 

2021-10-08 12:22:31 XXX.XXX.XXX.XXX POST /Microsoft-Server-ActiveSync/default.eas Cmd=Ping&User=---%5n---&DeviceId=-------&DeviceType=Outlook&CorrelationID=<empty>;&cafeReqId=c586f22d-14cd-4449-be95-fe666b30c92e; 443 -------\----- 192.168.X.X Outlook-iOS-Android/1.0 - 200 0 0 181382 52.98.193.109

 

 

we use the official TA-Exchange-2013-Mailbox, TA-Exchange-ClientAccess and Ta-Windows-Exchange-IIS addons.

I found the definition of c_ip field in the transform.conf and props.conf in  the TA-Windows-Exchange-IIS, but I dont see any specific regex for its correct extraction. 

could someone tell me how to proceed to fix this parsing issue so the dashboards can show correct information?

many thanks

Labels (4)
Tags (1)
0 Karma

corti77
Communicator

I created a extracted field called c_ip2 containing the last IP shown in the event and I changed the query on the map. That approach worked but this solution is not valid for other built-in dashboards that use a macros such as Outlook Web Access dashboard which uses the macro `client-ews-events`.

Also, I would like to dont change much the ITSI internals so I can easily upgrade it whenever needed. 

So, my goal would be to fix the issue completely by keeping only the original c_ip field but with the correct external IP.

any suggestion?

many thanks

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...