Skip to content

Incorrect Source IP address #23

New issue
New issue
Open
Open
Incorrect Source IP address#23
@kenperkins

Description

@kenperkins
kenperkins
opened on Jun 17, 2019

Splunk plugin v0.10.0, Fluentd-elasticsearch v2.2.0

We've got the following section in our output.conf:

<match *.kubernetes.**>
      @type copy
      <store>
        @id elasticsearch
        @type elasticsearch
        @log_level info
        type_name fluentd
        include_tag_key true
        host elasticsearch-logging
        port 9200
        logstash_format true
      </store>
      <store>
        @type splunk_tcp
        host 1.2.3.4
        port 10524
        format json
        flush_interval 10s
      </store>

On the splunk side, the source IP address is the same address listed as host in the output.conf.

What am I doing wrong?

Splunk Excerpt

Jun 17 14:38:55 1.2.3.4
{
  "time":1560796725,
  "log":"2019-06-17 18:38:45.952 [INFO][77] ipsets.go 253: Resyncing ipsets with dataplane. family=\"inet\"\n",
  "stream":"stdout",
  "docker": {
    "container_id":"xxx"
  },
  "kubernetes": {
    "container_name":"calico-node",
    "namespace_name":"kube-system",
    "pod_name":"calico-node-sblhz",
    "container_image":"quay.io/calico/node:v3.1.3",
    "container_image_id":"docker-pullable://quay.io/calico/node@sha256:xxx",
    "pod_id":"xxx",
    "labels": {
      "controller-revision-hash":"3519718735",
      "k8s-app":"calico-node",
      "pod-template-generation":"1"
    },
    "host":"splunk-4-k8s-node-nf-1",
    "master_url":"https://10.3.0.1:443/api",
    "namespace_id":"0a525f10-8e0e-11e9-b699-fa163e2c9676"
  }
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions