Getting Data In

Is there a way to whitelist which forwarded logs are indexed on the indexer based on the host they are from?

jhahnpewpew
New Member

i'm looking to monitor logs that are forwarded with the universal forwarder, but i do not want it from all machines. due to the way our systems are deployed, all the machines would have the forwarder set up and configured on them. is it possible on the splunk server to whitelist just the machines i want logs from?

thanks.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

The best way, would be to use the Deployment Server and have the UF's configured properly to just connect with the DS automatically and allow you to push the configurations you want. Even if a machine comes up that you DO want to collect from you still need to add configuration to the forwarder to collect data properly.

That said, you could try this for now:
inputs.conf on the indexer

[tcp://:9997]
acceptFrom =

acceptFrom = <network_acl> ...
* Lists a set of networks or addresses to accept connections from.  These rules are separated by commas or spaces
* Each rule can be in the following forms:
*   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
*   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
*   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
*   4. A single '*' which matches anything
* Entries can also be prefixed with '!' to cause the rule to reject the
  connection.  Rules are applied in order, and the first one to match is
  used.  For example, "!10.1/16, *" will allow connections from everywhere
  except the 10.1.*.* network.
* Defaults to "*" (accept from anywhere)

It's a list you would have to maintain... basically listing all the ones you want specifically. But that is most likely going to be a random smattering so you won't be able to wildcard etc.

You need something to manage the forwarders. Whether it is the Deployment Server, Chef, Puppet or whatever... something has to control them. Or you need to get that initial base configuration done properly so that the UF is installed but it is not sending automagically...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

When the UF is installed and configured, is it configured with a deploymentclients.conf? because if they are all phoning home to the Deployment Server (Forwarder Management) you can send out an outputs.conf that will override what's in the base config and control what is actually sending stuff somewhere and what is not. That would be the most efficient way to manage them... So rather than turning them away... you'll tell them what to do.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

jhahnpewpew
New Member

we are not using a deployment server for forwarder management at the moment.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...