So I seem to be having an issue with blacklists and whitelists.
I've got the following configured below, but for some reason, my prod_forwarder
keeps getting configs for other environments.
I'm trying to blacklist the specific indexers/sh/heavy fwd for each 'environment' and only have each environment pull down it's respective configs, notably their specific outputs.conf file
Help.... ?
Let's take my prod env for example:
[serverClass:prod_forwarder]
filterType = blacklist
blacklist.0 = *
blacklist.1 = 10.1.5.169
blacklist.2 = 10.1.5.170
whitelist.0 = 10.1.*.*
This config for some reason also pulls down the dqp and the bak below.
[serverClass:bak_forwarder]
filterType = blacklist
blacklist.0 = *
blacklist.1 = 10.4.5.169
blacklist.2 = 10.4.5.169
whitelist.0 = 10.4.*.*
[serverClass:bak-forwarder:app:bak-forwarder_outputs]
restartSplunkd = True
^^ this will get loaded to prod and dqp environments, where it should not be
[serverClass:dqp_forwarder]
filterType = blacklist
blacklist.0 = *
blacklist.1 = 10.2.5.*
blacklist.2 = 10.1.*.*
blacklist.3 = 10.4.*.*
whitelist.0 = 10.6.*.*
whitelist.1 = 10.7.*.*
whitelist.2 = 10.8.*.*
whitelist.3 = 10.9.*.*
[serverClass:dqp-forwarder:app:dqp-forwarder_outputs]
restartSplunkd = True
^^ gets loaded onto prod and bak
What happens if you apply the same rules to the app?
[serverClass:dqp_forwarder]
filterType = blacklist
blacklist.0 = Blank?
blacklist.1 = 10.2.5.
blacklist.2 = 10.1..
blacklist.3 = 10.4..
whitelist.0 = 10.6..
whitelist.1 = 10.7..
whitelist.2 = 10.8..
whitelist.3 = 10.9..
[serverClass:dqp-forwarder:app:dqp-forwarder_outputs]
filterType = blacklist
blacklist.0 = Blank?
blacklist.1 = 10.2.5.
blacklist.2 = 10.1..
blacklist.3 = 10.4..
whitelist.0 = 10.6..
whitelist.1 = 10.7..
whitelist.2 = 10.8..
whitelist.3 = 10.9..
restartSplunkd = True
What happens if you apply the same rules to the app?
[serverClass:dqp_forwarder]
filterType = blacklist
blacklist.0 = Blank?
blacklist.1 = 10.2.5.
blacklist.2 = 10.1..
blacklist.3 = 10.4..
whitelist.0 = 10.6..
whitelist.1 = 10.7..
whitelist.2 = 10.8..
whitelist.3 = 10.9..
[serverClass:dqp-forwarder:app:dqp-forwarder_outputs]
filterType = blacklist
blacklist.0 = Blank?
blacklist.1 = 10.2.5.
blacklist.2 = 10.1..
blacklist.3 = 10.4..
whitelist.0 = 10.6..
whitelist.1 = 10.7..
whitelist.2 = 10.8..
whitelist.3 = 10.9..
restartSplunkd = True
Glad you got your issue solved @emalenfant 🙂 I converted @cramasta's response to an answer. Please be sure to accept their answer so people with similar issues/questions will refer to this post for help. Thanks!
Patrick
I self-corrected the issue with the following solution, as indicated by cramasta:
[serverClass:cira_prod_forwarder]
filterType = whitelist
blacklist.0 = 10.2.5.164
blacklist.1 = 10.2.5.166
blacklist.2 = 10.2.5.169
blacklist.3 = 10.2.5.170
blacklist.4 = 10.4.5.169
blacklist.5 = 10.1.5.169
blacklist.6 = 10.1.5.170
whitelist.0 = 10.1.0.*
whitelist.1 = 10.1.5.*
whitelist.2 = 10.1.35.*
whitelist.3 = 10.1.36.*
whitelist.4 = 10.1.53.*
whitelist.5 = 10.1.80.*
whitelist.6 = 10.1.90.*
whitelist.7 = 10.1.91.*
whitelist.8 = 10.1.153.*
whitelist.9 = 10.1.91.*
I'll try that now.
as for the blacklist.0, it does = *