From 71106f7fa223b71c7060d3d5660f35e32e9d6e51 Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Thu, 22 Aug 2024 08:28:42 +0000 Subject: [PATCH 1/3] feat: load host IP from proxied source IP --- .../etc/conf.d/sources/source_syslog/plugin.jinja | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/package/etc/conf.d/sources/source_syslog/plugin.jinja b/package/etc/conf.d/sources/source_syslog/plugin.jinja index 6f66009b9..bdb89ce2c 100644 --- a/package/etc/conf.d/sources/source_syslog/plugin.jinja +++ b/package/etc/conf.d/sources/source_syslog/plugin.jinja @@ -114,6 +114,13 @@ source s_{{ port_id }} { ); }; {%- endif %} + + {%- if use_proxy_connect == True %} + rewrite { + set("$PROXIED_SRCIP", value("HOST") condition("$PROXIED_SRCIP" ne "")); + }; + {%- endif %} + if { if { parser { @@ -391,6 +398,13 @@ source s_{{ port_id }} { {%- endif %} {%- endfor %} }; + + {%- if use_proxy_connect == True %} + rewrite { + set("$PROXIED_SRCIP", value("HOST") condition("$PROXIED_SRCIP" ne "")); + }; + {%- endif %} + {%- if vendor and product %} parser { p_set_netsource_fields( From 1cbba5228092281a2b4ef148dcef79c9b8710822 Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Thu, 22 Aug 2024 14:52:29 +0000 Subject: [PATCH 2/3] Prevent overwriting hosts from logs --- package/etc/conf.d/conflib/_splunk/splunkfields.conf | 5 +++++ package/etc/conf.d/sources/source_syslog/plugin.jinja | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf b/package/etc/conf.d/conflib/_splunk/splunkfields.conf index ca0037f95..cd100f9c4 100644 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf @@ -128,3 +128,8 @@ filter f_is_source_identified{ filter f_is_agg{ tags("agg"); }; + +filter f_is_proxy_ip{ + "$HOST" eq "$SOURCEIP" + and "$PROXIED_SRCIP" ne "" +}; \ No newline at end of file diff --git a/package/etc/conf.d/sources/source_syslog/plugin.jinja b/package/etc/conf.d/sources/source_syslog/plugin.jinja index bdb89ce2c..346127c96 100644 --- a/package/etc/conf.d/sources/source_syslog/plugin.jinja +++ b/package/etc/conf.d/sources/source_syslog/plugin.jinja @@ -117,7 +117,7 @@ source s_{{ port_id }} { {%- if use_proxy_connect == True %} rewrite { - set("$PROXIED_SRCIP", value("HOST") condition("$PROXIED_SRCIP" ne "")); + set("$PROXIED_SRCIP", value("HOST") condition(filter(f_is_proxy_ip)) ); }; {%- endif %} @@ -401,7 +401,7 @@ source s_{{ port_id }} { {%- if use_proxy_connect == True %} rewrite { - set("$PROXIED_SRCIP", value("HOST") condition("$PROXIED_SRCIP" ne "")); + set("$PROXIED_SRCIP", value("HOST") condition(filter(f_is_proxy_ip)) ); }; {%- endif %} From 867f4bbd3c72726e1946625c15f2f155e005089f Mon Sep 17 00:00:00 2001 From: mstopa-splunk Date: Fri, 23 Aug 2024 10:06:19 +0000 Subject: [PATCH 3/3] Prevent sending to the destination internal logs related to proxy --- package/etc/conf.d/sources/internal.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/package/etc/conf.d/sources/internal.conf b/package/etc/conf.d/sources/internal.conf index 47bd35c98..af316aab3 100644 --- a/package/etc/conf.d/sources/internal.conf +++ b/package/etc/conf.d/sources/internal.conf @@ -114,6 +114,7 @@ source s_internal { or match("Syslog connection closed; fd=" value("MESSAGE")) or match("Syslog connection accepted; fd=" value("MESSAGE")) or match("xml-parser failed; " value("MESSAGE")) + or match("Initializing PROXY protocol source driver" value("MESSAGE")) }; rewrite(r_set_dest_splunk_null_queue); };