Getting Data In

Whitelist IP Ranges in serverclass.conf

rmcdougal
Path Finder

I am attempting to whitelist a range of IP addresses in my serverclass.conf but it doesn't seem to be working. This is the regex that I came up with to match IP Addresses between 10.0.0.0 and 10.49.255.255.

[serverClass:pcforwarders]
whitelist.0=10.([0-9]|[0-4][0-9]).[0-9]{1,3}.[0-9]{1,3}
blacklist.0=10.255.26.*

[serverClass:pcforwarders:app:pcforwardersconfigs]
stateOnClient=enabled
restartSplunkd=true

[serverClass:pcforwarders:app:pclogcollection]
stateOnClient=enabled
restartSplunkd=true

Tags (1)

jbsplunk
Splunk Employee
Splunk Employee

AFAIK, You can't use a regex in a serverclass.conf whitelist. The spec file does not show this as being valid.

http://docs.splunk.com/Documentation/Splunk/latest/admin/Serverclassconf

whitelist.<n> = <clientName> | <ip address> | <hostname>
blacklist.<n> = <clientName> | <ip address> | <hostname>
    * 'n' is a number starting at 0, and increasing by 1. Stop looking at the filter when 'n' breaks.
    * The value of this attribute is matched against several things in order:
         * Any clientName specified by the client in its deploymentclient.conf file
         * The ip address of the connected client
         * The hostname of the connected client as provided by reverse DNS lookup
         * The hostname of the client as provided by the client
    * All of these can be used with wildcards.  * will match any sequence of characters.  For example:
        * Match an network range: 10.1.1.*
        * Match a domain: *.splunk.com
    * These patterns are PCRE regular expressions with the additional mappings:
        * '.' is mapped to '\.'
        * '*' is mapped to '.*'
    * Can be overridden at the serverClass level, and the serverClass:app level.
    * There are no whitelist or blacklist entries by default.

lguinn2
Legend

I have chatted with some folks who say PCRE is fine - now i just need to go test it!

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

notice: with the additional mappings. Meaning, it is a regex, but not PCRE compliant, which means I think you're going to run into unexpected behaviors trying to use PCRE straight up in the conf file.

0 Karma

lguinn2
Legend

Perhaps I misunderstand what this line means "These patterns are PCRE regular expressions..."

0 Karma

lguinn2
Legend

I am not sure what your question is, exactly, but here is a great reference for regular expressions. I've linked to the page with an example for IP addresses.

http://www.regular-expressions.info/examples.html

Specifically, I think the following would match what you want:

10\.[0-4]?[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...