How to Blacklist Hosts at the Indexer

lpolo · ‎06-12-2013

Let's say, I have 5 forwarders. 4 of them are allowed to forward events to the indexer but one of them is not. How can I Blacklist this host at the indexer not at the forwarder or network (eg., iptables)? In this way, no log event should be index from the host that is not allowed to...

Thanks,
Lp

starcher · ‎06-14-2013

I guess I am confused. if the forwarder is never allowed to send events to an indexer why even leave it installed. I would just remove it.

JSapienza · ‎06-12-2013

Something like this might work then :

props.conf

[Host::myhost]
TRANSFORM-myhost=rejectHost

transforms.conf

[rejectHost]
REGEX = .*
DEST=queue
FORMAT=nullQueue

JSapienza · ‎06-13-2013

That would be a whitelist not a blacklist. Am I not sure that can be done in this manner. I would urge you to look in to using deployment server to modify the outputs.conf.

lpolo · ‎06-13-2013

What about if you do not know the name of the host that you want to blacklist but you know the hosts that are allowed.

Thanks,
Lp

lpolo · ‎06-12-2013

This approach cannot be done. We do not have configuration control of the forwarders.

JSapienza · ‎06-12-2013

If it were me I would approach this from a different direction. Why even send the data over the wire to the indexer only to be dumped to the nullQueue ? You could use the deployment server to send an app to the forwarder with an an empty outputs.conf or one that didn't have the indexer/s listed. This way at a later time all you have to do is remove that host from the corresponding severClass to revert the changes and allow it to communicate with the indexer.

How to Blacklist Hosts at the Indexer

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!