I am attempting to whitelist a range of IP addresses in my serverclass.conf but it doesn't seem to be working. This is the regex that I came up with to match IP Addresses between 10.0.0.0 and 10.49.255.255.
[serverClass:pcforwarders]
whitelist.0=10.([0-9]|[0-4][0-9]).[0-9]{1,3}.[0-9]{1,3}
blacklist.0=10.255.26.*
[serverClass:pcforwarders:app:pcforwardersconfigs]
stateOnClient=enabled
restartSplunkd=true
[serverClass:pcforwarders:app:pclogcollection]
stateOnClient=enabled
restartSplunkd=true
AFAIK, You can't use a regex in a serverclass.conf whitelist. The spec file does not show this as being valid.
http://docs.splunk.com/Documentation/Splunk/latest/admin/Serverclassconf
whitelist.<n> = <clientName> | <ip address> | <hostname>
blacklist.<n> = <clientName> | <ip address> | <hostname>
* 'n' is a number starting at 0, and increasing by 1. Stop looking at the filter when 'n' breaks.
* The value of this attribute is matched against several things in order:
* Any clientName specified by the client in its deploymentclient.conf file
* The ip address of the connected client
* The hostname of the connected client as provided by reverse DNS lookup
* The hostname of the client as provided by the client
* All of these can be used with wildcards. * will match any sequence of characters. For example:
* Match an network range: 10.1.1.*
* Match a domain: *.splunk.com
* These patterns are PCRE regular expressions with the additional mappings:
* '.' is mapped to '\.'
* '*' is mapped to '.*'
* Can be overridden at the serverClass level, and the serverClass:app level.
* There are no whitelist or blacklist entries by default.
I have chatted with some folks who say PCRE is fine - now i just need to go test it!
notice: with the additional mappings. Meaning, it is a regex, but not PCRE compliant, which means I think you're going to run into unexpected behaviors trying to use PCRE straight up in the conf file.
Perhaps I misunderstand what this line means "These patterns are PCRE regular expressions..."
I am not sure what your question is, exactly, but here is a great reference for regular expressions. I've linked to the page with an example for IP addresses.
http://www.regular-expressions.info/examples.html
Specifically, I think the following would match what you want:
10\.[0-4]?[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)