feat: load host IP from proxied source IP (#2566)

mstopa-splunk · mstopa-splunk · commit f2df1cec2d77 · 2024-09-26T15:28:53.000+02:00
diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf b/package/etc/conf.d/conflib/_splunk/splunkfields.conf
@@ -128,3 +128,8 @@ filter f_is_source_identified{
 filter f_is_agg{
     tags("agg");
 };
+
+filter f_is_proxy_ip{
+    "$HOST" eq "$SOURCEIP"
+    and "$PROXIED_SRCIP" ne ""
+};
diff --git a/package/etc/conf.d/sources/internal.conf b/package/etc/conf.d/sources/internal.conf
@@ -114,6 +114,7 @@ source s_internal {
                     or match("Syslog connection closed; fd=" value("MESSAGE"))
                     or match("Syslog connection accepted; fd=" value("MESSAGE"))
                     or match("xml-parser failed; " value("MESSAGE"))
+                    or match("Initializing PROXY protocol source driver" value("MESSAGE"))
                 };
                 rewrite(r_set_dest_splunk_null_queue);
             };           
diff --git a/package/etc/conf.d/sources/source_syslog/plugin.jinja b/package/etc/conf.d/sources/source_syslog/plugin.jinja
@@ -114,6 +114,13 @@ source s_{{ port_id }} {
             );
         };
         {%- endif %}
+
+        {%- if use_proxy_connect == True %}
+            rewrite {
+                set("$PROXIED_SRCIP", value("HOST") condition(filter(f_is_proxy_ip)) );
+            };
+        {%- endif %}
+
         if {
             if {
                 parser {
@@ -396,6 +403,13 @@ source s_{{ port_id }} {
             {%- endif %}
             {%- endfor %}
         };
+
+        {%- if use_proxy_connect == True %}
+            rewrite {
+                set("$PROXIED_SRCIP", value("HOST") condition(filter(f_is_proxy_ip)) );
+            };
+        {%- endif %}
+
         {%- if vendor and product %}
         parser {
             p_set_netsource_fields(
