Re: Splunk forwarder indexer communication

rangineniarunku · ‎05-23-2017

How can splunk indexer avoid from receiving data, if a hacker is sending corrupt data from his local system through univ forwarder to Splunk Indexer by knowing indexer port and name of our envirenment????

Do we have any permissions to Univ forwarder or settings to avoid receiving data from unknown forwarders to our Indexer?

woodcock · ‎05-23-2017

I would handle this with ACL to block his connection attempts entirely but if firewalls cannot be used, then you can just /dev/null it like this on the Splunk Indexers:

In props.conf:

[host:Invader.IP.Address.Here]
TRANSFORMS-setnull = setnull

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

See more here:

http://docs.splunk.com/Documentation/Splunk/6.6.0/Forwarding/Routeandfilterdatad

MuS · ‎05-23-2017

Hi rangineniarunkumar,

On the indexer you can set the acceptFrom = <network_acl> option in inputs.conf to a set of networks or addresses to accept connections from, see the docs for more details http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

A second option is to filter your events http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Keep_specific_even...
and only keep events from your known host for example.

Hope this helps ...

cheers, MuS

Splunk forwarder indexer communication

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team