Blacklisting Logs coming in UDP 514

khavildar · ‎06-18-2019

I have some logs coming in on UDP 514 and I am wondering if there is a chance we can blacklist certain events containing a certain username. I can regex it out but I cannot see if we can blacklist UDP logs through props.conf and transforms.conf
From my research online, it's required to have a Syslog-ng or rSyslog server setup but we are trying to avoid that extra step and seeing if Splunk has an inbuilt function to blacklist it.
This is not File monitoring / windows / having it's own TA type of Inputs. It's Syslog coming in on UDP 514 directly to the Splunk Indexer.

harsmarvania57 · ‎06-19-2019

Hi,

UDP inputs data also pass through Parsing, Aggregation and Typing Queue (ref. doc https://wiki.splunk.com/Community:HowIndexingWorks) so props.conf and transforms.conf filtering should work.

As best practice, it is recommended to use syslog-ng or rsyslog and write logs in logfile and UF will read those logs. If you receive data directly on Splunk then during Splunk restart you will lose all data which you are receiving on UDP input and usually Splunk restart take more time compare to syslog-ng or rsyslog restart.

khavildar · ‎06-27-2019

Thanks. I looked it up and saw I had to use a nullqueue.

Blacklisting Logs coming in UDP 514

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases