Blacklisting Logs coming in UDP 514

khavildar · ‎06-18-2019

I have some logs coming in on UDP 514 and I am wondering if there is a chance we can blacklist certain events containing a certain username. I can regex it out but I cannot see if we can blacklist UDP logs through props.conf and transforms.conf
From my research online, it's required to have a Syslog-ng or rSyslog server setup but we are trying to avoid that extra step and seeing if Splunk has an inbuilt function to blacklist it.
This is not File monitoring / windows / having it's own TA type of Inputs. It's Syslog coming in on UDP 514 directly to the Splunk Indexer.

harsmarvania57 · ‎06-19-2019

Hi,

UDP inputs data also pass through Parsing, Aggregation and Typing Queue (ref. doc https://wiki.splunk.com/Community:HowIndexingWorks) so props.conf and transforms.conf filtering should work.

As best practice, it is recommended to use syslog-ng or rsyslog and write logs in logfile and UF will read those logs. If you receive data directly on Splunk then during Splunk restart you will lose all data which you are receiving on UDP input and usually Splunk restart take more time compare to syslog-ng or rsyslog restart.

khavildar · ‎06-27-2019

Thanks. I looked it up and saw I had to use a nullqueue.

Blacklisting Logs coming in UDP 514

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio