- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Configuring udp with multiple ipaddress
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configuring udp with multiple ipaddress
Hi, I would like to configure my inputs.conf with udp on port 514.
Like below:
udp://[remote_server]:[port_number]
My query is can I add multiple ipaddress in the remote_server field as I want to receive the data from a particular set of ipaddresses.
regards,
Santosh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
No you can't specify multiple IP address in udp stanza in inputs.conf
But you can do below configuration to restrict your UDP port to accept traffic from certain IP addresses.
inputs.conf
[udp://514]
acceptFrom = 10.10.0.1, 10.20.0.1, ....., 10.100.0.1
From Splunk doc
acceptFrom = <network_acl> ...
* Lists a set of networks or IP addresses from which to accept connections.
* Specify multiple rules with commas or spaces.
* Each rule can be in the following forms:
1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
3. A DNS name, possibly with a "*"" used as a wildcard (examples:
"myhost.example.com", "*.splunk.com")
4. "*", which matches anything.
* You can also prefix an entry with '!' to cause the rule to reject the
connection. The input applies rules in order, and uses the first one that
matches.
For example, "!10.1/16, *" allows connections from everywhere except
the 10.1.*.* network.
* Default: "*" (accept from anywhere)
NOTE:
- Please keep in mind that if you are running your splunk instance as non-root user then you can't occupy port less than 1024 on Linux servers, only root user can occupy port less than 1024 on Linux.
- I'll suggest to use syslog to accept traffic from network, security or any other devices which will send data over syslog. If you will receive syslog traffic directly on splunk then during splunk restart you will lose data however with syslog like rsyslog or syslog-ng it will write data to file on disk and Splunk UF can monitor that log file and due to that you will not lose data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I have a range of ipaddresses like, 10.21.100.1, 10.21.100.2, 10.21.100.3, 10.21.100.4, 10.21.100.5....10.21.100.15.
So, how can I pass these values to acceptFrom field. Is there a shorter way other than mentioning all the ipaddresses specifically.
Can I just mention as 10.21.100.1/15 (CIDR block method)..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As you have 15 IP addresses which doesn't fix under single CIDR block so you can try something like this, I am not sure whether combination of CIDR and IP address will work or not but you can give it try.
acceptFrom = 10.21.100.0/28, 10.21.100.15
How CIDR calculates IP ranges then try to google Subnet calculation and you will able to figure out what is the meaning of 10.21.100.0/28
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for details. I tried the same way.Its working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Harshil, Thanks for the reply. I will check this flow. regards, Santosh
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
