Getting Data In

How do I stop forwarding the _audit index?

jeromep83
Engager

Hi,

I'm trying to stop forwarding _audit index.
I put in my outputs.conf the following lines:

[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.filter.disable = false

It should block all indexes beginning with "_". Am i right ?
It doesn’t work because I am still seeing forwarded audit logs:

Audit:[timestamp=07-06-2015 16:46:14.900, user=splunk-system-user, action=search, info=completed, search_id='SummaryDirector_1436193945.3', total_run_time=0.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1436193945, api_et=N/A, api_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name=""][n/a]

Do you know how to stop it ?

Thanks for your time,

0 Karma
1 Solution

matts1234
Engager

You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: etc/system/default/outputs.conf

[tcpout]
...
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false

The rules above dictate: rule #1( forwardedindex.1.blacklist = .* ) does successfully block all indexes that begin with an ""; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes.

The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below:

Rewrite rule #2 to remove _audit:

[tcpout]
forwardedindex.2.whitelist = (_internal|_introspection)

Add a new rule #3 re-enforcing the blacklist of _audit:

[tcpout]
forwardedindex.3.blacklist = _audit

Either one of these should work. Cheers!

View solution in original post

0 Karma

matts1234
Engager

You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: etc/system/default/outputs.conf

[tcpout]
...
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false

The rules above dictate: rule #1( forwardedindex.1.blacklist = .* ) does successfully block all indexes that begin with an ""; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes.

The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below:

Rewrite rule #2 to remove _audit:

[tcpout]
forwardedindex.2.whitelist = (_internal|_introspection)

Add a new rule #3 re-enforcing the blacklist of _audit:

[tcpout]
forwardedindex.3.blacklist = _audit

Either one of these should work. Cheers!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...