Incorrect Source IP address

Open kenperkins opened this issue 6 years ago • 0 comments

Splunk plugin v0.10.0, Fluentd-elasticsearch v2.2.0

We've got the following section in our output.conf:

<match *.kubernetes.**>
      @type copy
      <store>
        @id elasticsearch
        @type elasticsearch
        @log_level info
        type_name fluentd
        include_tag_key true
        host elasticsearch-logging
        port 9200
        logstash_format true
      </store>
      <store>
        @type splunk_tcp
        host 1.2.3.4
        port 10524
        format json
        flush_interval 10s
      </store>

On the splunk side, the source IP address is the same address listed as host in the output.conf.

What am I doing wrong?

Splunk Excerpt

Jun 17 14:38:55 1.2.3.4
{
  "time":1560796725,
  "log":"2019-06-17 18:38:45.952 [INFO][77] ipsets.go 253: Resyncing ipsets with dataplane. family=\"inet\"\n",
  "stream":"stdout",
  "docker": {
    "container_id":"xxx"
  },
  "kubernetes": {
    "container_name":"calico-node",
    "namespace_name":"kube-system",
    "pod_name":"calico-node-sblhz",
    "container_image":"quay.io/calico/node:v3.1.3",
    "container_image_id":"docker-pullable://quay.io/calico/node@sha256:xxx",
    "pod_id":"xxx",
    "labels": {
      "controller-revision-hash":"3519718735",
      "k8s-app":"calico-node",
      "pod-template-generation":"1"
    },
    "host":"splunk-4-k8s-node-nf-1",
    "master_url":"https://10.3.0.1:443/api",
    "namespace_id":"0a525f10-8e0e-11e9-b699-fa163e2c9676"
  }
}

Jun 17 '19 21:06 kenperkins