Let's say, I have 5 forwarders. 4 of them are allowed to forward events to the indexer but one of them is not. How can I Blacklist this host at the indexer not at the forwarder or network (eg., iptables)? In this way, no log event should be index from the host that is not allowed to...
Thanks,
Lp
I guess I am confused. if the forwarder is never allowed to send events to an indexer why even leave it installed. I would just remove it.
Something like this might work then :
props.conf
[Host::myhost]
TRANSFORM-myhost=rejectHost
transforms.conf
[rejectHost]
REGEX = .*
DEST=queue
FORMAT=nullQueue
That would be a whitelist not a blacklist. Am I not sure that can be done in this manner. I would urge you to look in to using deployment server to modify the outputs.conf.
What about if you do not know the name of the host that you want to blacklist but you know the hosts that are allowed.
Thanks,
Lp
This approach cannot be done. We do not have configuration control of the forwarders.
If it were me I would approach this from a different direction. Why even send the data over the wire to the indexer only to be dumped to the nullQueue ? You could use the deployment server to send an app to the forwarder with an an empty outputs.conf or one that didn't have the indexer/s listed. This way at a later time all you have to do is remove that host from the corresponding severClass to revert the changes and allow it to communicate with the indexer.