Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Whitelist IP Ranges in serverclass.conf

rmcdougal
Path Finder
‎06-20-2012 08:06 AM

I am attempting to whitelist a range of IP addresses in my serverclass.conf but it doesn't seem to be working. This is the regex that I came up with to match IP Addresses between 10.0.0.0 and 10.49.255.255.

[serverClass:pcforwarders]

whitelist.0=10.([0-9]|[0-4][0-9]).[0-9]{1,3}.[0-9]{1,3}

blacklist.0=10.255.26.*

[serverClass:pcforwarders:app:pcforwardersconfigs]
stateOnClient=enabled
restartSplunkd=true

[serverClass:pcforwarders:app:pclogcollection]
stateOnClient=enabled
restartSplunkd=true

Tags (1)
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎06-20-2012 08:56 AM

AFAIK, You can't use a regex in a serverclass.conf whitelist. The spec file does not show this as being valid.

http://docs.splunk.com/Documentation/Splunk/latest/admin/Serverclassconf

whitelist.<n> = <clientName> | <ip address> | <hostname>
blacklist.<n> = <clientName> | <ip address> | <hostname>
    * 'n' is a number starting at 0, and increasing by 1. Stop looking at the filter when 'n' breaks.
    * The value of this attribute is matched against several things in order:
         * Any clientName specified by the client in its deploymentclient.conf file
         * The ip address of the connected client
         * The hostname of the connected client as provided by reverse DNS lookup
         * The hostname of the client as provided by the client
    * All of these can be used with wildcards.  * will match any sequence of characters.  For example:
        * Match an network range: 10.1.1.*
        * Match a domain: *.splunk.com
    * These patterns are PCRE regular expressions with the additional mappings:
        * '.' is mapped to '\.'
        * '*' is mapped to '.*'
    * Can be overridden at the serverClass level, and the serverClass:app level.
    * There are no whitelist or blacklist entries by default.
Reply

lguinn2
Legend
‎06-20-2012 12:41 PM

I have chatted with some folks who say PCRE is fine - now i just need to go test it!

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎06-20-2012 11:06 AM

notice: with the additional mappings. Meaning, it is a regex, but not PCRE compliant, which means I think you're going to run into unexpected behaviors trying to use PCRE straight up in the conf file.

0 Karma
Reply

lguinn2
Legend
‎06-20-2012 10:55 AM

Perhaps I misunderstand what this line means "These patterns are PCRE regular expressions..."

0 Karma
Reply

lguinn2
Legend
‎06-20-2012 08:53 AM

I am not sure what your question is, exactly, but here is a great reference for regular expressions. I've linked to the page with an example for IP addresses.

http://www.regular-expressions.info/examples.html

Specifically, I think the following would match what you want:

10\.[0-4]?[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...