Hi,
We are forwarding some of our logs from Splunk to a third party IBM Qradar environment. The third party is not able to see the actual source IP address of the logs - they only see our heavy forwarder IPs as the source. Is there something we can do on the configs on Splunk to actually include this info as well?
Here are my configs
**props.conf**
[pan*]
TRANSFORMS-routing=syslogRouting
#
[Win*]
TRANSFORMS-routing=syslogRouting2
**transforms.conf**
[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup
[syslogRouting2]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup2
**outputs.conf**
[syslog:syslogGroup]
server = 1.2.3.4:514
sendCookedData = false
[syslog:syslogGroup2]
server = 5.6.7.8:514
sendCookedData = false
Thanks in advance !
↧