How can splunk indexer avoid from receiving data, if a hacker is sending corrupt data from his local system through univ forwarder to Splunk Indexer by knowing indexer port and name of our envirenment????
Do we have any permissions to Univ forwarder or settings to avoid receiving data from unknown forwarders to our Indexer?
I would handle this with ACL to block his connection attempts entirely but if firewalls cannot be used, then you can just /dev/null
it like this on the Splunk Indexers:
In props.conf:
[host:Invader.IP.Address.Here]
TRANSFORMS-setnull = setnull
In transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
See more here:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Forwarding/Routeandfilterdatad
Hi rangineniarunkumar,
On the indexer you can set the acceptFrom = <network_acl>
option in inputs.conf
to a set of networks or addresses to accept connections from, see the docs for more details http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
A second option is to filter your events http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Keep_specific_even...
and only keep events from your known host for example.
Hope this helps ...
cheers, MuS