- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How does the indexer forward data to itself?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How does the indexer forward data to itself?
I want to blacklist some events that the Splunk server is sending to itself but my indexer isn't even running the SplunkForwarder Service and the inputs.conf file that I'd edit on my other servers doesn't effect what it's sending to itself.
Does it use an inputs.conf file in a different location?
Also, since it's not running the SplunkForwarder Service, what do I restart (if anything) after I edit the correct inputs.conf? Do I have to restart the Splunkd Service (ie: splunk itself)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi benbabich,
which events do you want to blacklist? internal events?
if internal events, remember that they aren't in the license consuption.
Anyway, You can filter them in $SPLUNK_HOME/etc/system/local
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I turned on auditing for .exe's so I can see psexec usage on servers. So I'm looking for some 4688 events (in windows security logs).I block most but I want to see the following:
whitelist2 = EventCode="4688" Message="(?:New Process Name:).+(?:cmd.exe)"
whitelist3 = EventCode="4688" Message="(?:New Process Name:).+(?:cscript.exe)"
whitelist4 = EventCode="4688" Message="(?:New Process Name:).+(?:wscript.exe)"
whitelist5 = EventCode="4688" Message="(?:New Process Name:).+(?:PsExec.exe)"
whitelist6 = EventCode="4688" Message="(?:Process Command Line:).+(?:cscript.exe?)"
It works on my servers but my Splunk indexer server now reports EVERY 4688 event (any .exe that is opened which is 100+ a minute) and I've added
blacklist1 = EventCode="4688"
to every inputs.conf file I can find on the server (including $SPLUNK_HOME/etc/system/local) and I can't get it to stop reporting 4688 events. I could just use host!=[servername] in a search head to not see those results but I'd rather just find a way to stop it entirely.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its not a cluster. And I do not use a separate deployment server, I use the same server for that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok.. than for local monitoring on your indexer server itself, you need to restart splunkd service after you make the change.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Indexer would have Splunk Enterprise version/product installed on it which would have full capabilities of Splunk including indexing and monitoring. The service name would be splunkd and it should be restarted when you make changes to inputs.conf. Side question, do you have indexer cluster OR use deployment server to deployment configs?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
