With the above in mind, I want to block these servers (from sending data) to our Splunk server, so they will no longer show-up
Is this possible?
And if so, how?
Two more options
Setup ip filters on your Splunk Indexer(s) to block the ip address of this servers.
Details depend on your operating system.
Configure props.conf and transforms.conf to redirect events from this systems to the nullQueue
props.conf
[host::YOUR_HOSTS]
TRANSFORMS-DiscardHosts = DiscardHosts
transforms.conf
[DiscardHosts]
SOURCE_KEY = _TCP_ROUTING
REGEX = .
DEST_KEY = queue
WRITE_META = true
FORMAT = nullQueue
where is outputs.conf reside on those server under $SPLUNK_HOME$/etc/system/local or $SPLUNK_HOME$/etc/apps/your custom app/local.
The inputs.conf has an acceptFrom parameter than can be used to blacklist addresses, perhaps that will work?
You could also consider blocking it at the OS level of your Splunk indexers or perhaps a security team or administration team could assist in tracking down the problematic server?
acceptFrom = <network_acl> ...
* Lists a set of networks or IP addresses from which to accept connections.
* Specify multiple rules with commas or spaces.
* Each rule can be in the following forms:
1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
3. A DNS name, possibly with a '*' used as a wildcard (examples:
"myhost.example.com", "*.splunk.com")
4. A single '*', which matches anything.
* You can also prefix an entry with '!' to cause the rule to reject the
connection. The input applies rules in order, and uses the first one
that matches. For example, "!10.1/16, *" allows connections from everywhere
except the 10.1.*.* network.
* Defaults to "*" (accept from anywhere)
As the above seemed the most logical option, I tried the following setup in my inputs.conf file, but it seemed to stop connectivity for all my servers
acceptFrom = "!x.x.x.x, *"
--
We tracked down the owner of the server 🙂
That sounds like a documentation error...did you send feedback on that page of documentation? It will often get corrected if reported...
Comment is now posted (inputs.conf)
@edwinmae
if you don't to send any data to splunk from those servers. Remove outputs.conf from those servers from $SPLUNK_HOME$/etc/system/local or any custom app you have created for outputs.conf. So that server doesn't know where to send the data.
Like I said I am not able to access these servers
Somebody installed the Splunk Forwarder and pointed it to our Splunk server
We don't have a deploymentclient.conf file in system or default directory
Other options?