Hi Everyone
I need to know whether it is possible to filter out an IP address that is sending syslogs into Splunk using TCP port 514 as input.
Is there any configuration that needs to be done on the Splunk side to filter out that IP, or does it require blocking from the network device end sending logs to Splunk.
Please let me know.
Thanks
Hi OMohi,
Yes, you can filter out un-wanted events by using this guide http://docs.splunk.com/Documentation/Splunk/6.3.0/Forwarding/Routeandfilterdatad#Filter_event_data_a...
Here is an example (un-tested) of props.conf
and transforms.conf
needed on the indexer:
props.conf
[source::tcp:514]
TRANSFORMS-send_to_nullQueue = setnull,setparsing
transforms.conf
[setnull]
REGEX = ip to match the un-wanted host
SOURCE_KEY = MetaData:Host
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
Hope this helps to get you started and don't forget it will only drop new events from the IP and will only work after a Splunk restart.
Just my 2 cents: best thing to do here: stop the source from sending 😉
cheers, MuS
Hi OMohi,
Yes, you can filter out un-wanted events by using this guide http://docs.splunk.com/Documentation/Splunk/6.3.0/Forwarding/Routeandfilterdatad#Filter_event_data_a...
Here is an example (un-tested) of props.conf
and transforms.conf
needed on the indexer:
props.conf
[source::tcp:514]
TRANSFORMS-send_to_nullQueue = setnull,setparsing
transforms.conf
[setnull]
REGEX = ip to match the un-wanted host
SOURCE_KEY = MetaData:Host
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
Hope this helps to get you started and don't forget it will only drop new events from the IP and will only work after a Splunk restart.
Just my 2 cents: best thing to do here: stop the source from sending 😉
cheers, MuS