From 538be9b030cab9d16058477990e7f68657c4dfc1 Mon Sep 17 00:00:00 2001
From: mstopa-splunk <139441697+mstopa-splunk@users.noreply.github.com>
Date: Thu, 26 Sep 2024 10:47:30 +0200
Subject: [PATCH] feat: load host IP from proxied source IP (#2566)

---
 .../etc/conf.d/conflib/_splunk/splunkfields.conf   |  5 +++++
 package/etc/conf.d/sources/internal.conf           |  1 +
 .../etc/conf.d/sources/source_syslog/plugin.jinja  | 14 ++++++++++++++
 3 files changed, 20 insertions(+)

diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf b/package/etc/conf.d/conflib/_splunk/splunkfields.conf
index ca0037f95c..cd100f9c41 100644
--- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf
+++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf
@@ -128,3 +128,8 @@ filter f_is_source_identified{
 filter f_is_agg{
     tags("agg");
 };
+
+filter f_is_proxy_ip{
+    "$HOST" eq "$SOURCEIP"
+    and "$PROXIED_SRCIP" ne ""
+};
\ No newline at end of file
diff --git a/package/etc/conf.d/sources/internal.conf b/package/etc/conf.d/sources/internal.conf
index 47bd35c981..af316aab30 100644
--- a/package/etc/conf.d/sources/internal.conf
+++ b/package/etc/conf.d/sources/internal.conf
@@ -114,6 +114,7 @@ source s_internal {
                     or match("Syslog connection closed; fd=" value("MESSAGE"))
                     or match("Syslog connection accepted; fd=" value("MESSAGE"))
                     or match("xml-parser failed; " value("MESSAGE"))
+                    or match("Initializing PROXY protocol source driver" value("MESSAGE"))
                 };
                 rewrite(r_set_dest_splunk_null_queue);
             };           
diff --git a/package/etc/conf.d/sources/source_syslog/plugin.jinja b/package/etc/conf.d/sources/source_syslog/plugin.jinja
index ff6da08a15..b382d11856 100644
--- a/package/etc/conf.d/sources/source_syslog/plugin.jinja
+++ b/package/etc/conf.d/sources/source_syslog/plugin.jinja
@@ -114,6 +114,13 @@ source s_{{ port_id }} {
             );
         };
         {%- endif %}
+
+        {%- if use_proxy_connect == True %}
+            rewrite {
+                set("$PROXIED_SRCIP", value("HOST") condition(filter(f_is_proxy_ip)) );
+            };
+        {%- endif %}
+
         if {
             if {
                 parser {
@@ -396,6 +403,13 @@ source s_{{ port_id }} {
             {%- endif %}
             {%- endfor %}
         };
+
+        {%- if use_proxy_connect == True %}
+            rewrite {
+                set("$PROXIED_SRCIP", value("HOST") condition(filter(f_is_proxy_ip)) );
+            };
+        {%- endif %}
+
         {%- if vendor and product %}
         parser {
             p_set_netsource_fields(