Hello,
I have a data input of TCP type, and is associated with an index.
I have a request to remove 2 hosts that keep showing up.
Those hosts do not have a Universal Forwarder installed on them...
Is there anyway i can blacklist those hosts in the forwarder?
I have tried going to the inputs.conf and under the relevant tcp port added
Blacklist = Server_Name
It doesn't seem to work.
Any suggestions?
Even though Splunk allows TCP/UDP inputs, it's best practice not to use it if you can. Lots of unpredictable data can come in and then you'll lose data if you happen to do anything with the Splunk service (restart/os shutdown etc). It's best if you can use rsyslog for these types of inputs if you can.
The TCP input for splunk (see inputs.conf specification), has attribute acceptFrom using which you can specify whitelist/blacklist of IP addresses from which you don't want to accept data.
[tcp://<remote server>:<port>]
....
acceptFrom = <network_acl> ...
* Lists a set of networks or addresses to accept connections from.
* Separate multiple rules with commas or spaces.
* Each rule can be in one of the following formats:
1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
2. A Classless Inter-Domain Routing (CIDR) block of addresses
(examples: "10/8", "fe80:1234/32")
3. A DNS name, possibly with a '*' used as a wildcard
(examples: "myhost.example.com", "*.splunk.com")
4. A single '*' which matches anything
* You can also prefix an entry with '!' to cause the rule to reject the
connection. The input applies rules in order, and uses the first one that
matches.
For example, "!10.1/16, *" allows connections from everywhere except
the 10.1.*.* network.
* Defaults to "*" (accept from anywhere)
For your use-case, you'd setup something like this
acceptFrom = !<IPAddress1>, !<IPAddress2>, *
Can we use the similar approach for udp events as well ?
I have a udp port monitor configured in inputs of a UF.
And multiple hosts are sending the logs to that port while i want to whitelist only one host and blacklist the rest.
Hey
This is done by defining a regex to match the event(s) and send them to nullqueue
Here is a basic example that will drop the events that you do not want in logs.
Let suppose you have ip 192.168.10.11
in the events and you want exclude these events
Then put:
in transforms.conf
[setnull]
REGEX = 192\.168\.10\.11
DEST_KEY = queue
FORMAT = nullQueue
And in props.conf
[your_sourcetype]
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-null = setnull
Do this on the indexers and then restart splunkd.
Let me know if this helps!
Hi @mayurr98,
I have done this, edited the transforms.conf and props.conf to exclude events coming from host 127.0.0.1 on heavy forwarders, restarted splunkd and it did not work. Any help?