Getting Data In

How to blacklist a Universal Forwarder?

ccsfdave
Builder

This should be relatively simple, but I cannot find discussion or documentation on it. I suspect that Splunk assumes if a universal forwarder is installed, the data is wanted. The problem is that there is a UF out of my control with a misconfigured index name. I would like to blacklist it until the owner can fix it.

How would I blacklist a UF?

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

1: In props.conf, set the TRANSFORMS-null attribute:

[host::BadUniversalForwarderHostIdentifierHere]
TRANSFORMS-null = TrashEverything

2: Create a corresponding stanza in transforms.conf. Set DEST_KEY to queue and FORMATto nullQueue:

[TrashEverything]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

3: Deploy to all Indexers and restart all Splunk instances there.

View solution in original post

woodcock
Esteemed Legend

Like this:

1: In props.conf, set the TRANSFORMS-null attribute:

[host::BadUniversalForwarderHostIdentifierHere]
TRANSFORMS-null = TrashEverything

2: Create a corresponding stanza in transforms.conf. Set DEST_KEY to queue and FORMATto nullQueue:

[TrashEverything]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

3: Deploy to all Indexers and restart all Splunk instances there.

jkat54
SplunkTrust
SplunkTrust

Yeah this is great option if you can restart indexers. The "blacklisting" word put me in a different direction, but nullQueueing is in effect the same. Thanks woodcock!

0 Karma

ccsfdave
Builder

Yeah, I have full control of the central Splunk Infrastructure: SH, Indexers, HF, DS. So, Let me accept this and will update the answer if I need to in the future.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Do you control the UF from your deployment server? If not you should.

Your options are blocking the src_ip at the firewall... (iptables on linux, windows firewall will do the trick too)

Asking UF owner to turn off UF.

IF you have UF password you can probably disable via REST calls.

0 Karma

ccsfdave
Builder

Well, I let the question stand because I figured some good discussion or tips may come from it but it was in my DS so I took care of it (i think) from there.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I assume splunk doesn't want you to blacklist forwarders because they should be controlled via the DS. And if you had a config file somewhere blacklisting them you might spend days trying to figure out why they arent sending data in, etc.

0 Karma

ccsfdave
Builder

Yeah, that makes sense

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...