Solved: Will inputs.conf tcp input stanza accept CIDR nota...

the_wolverine · ‎07-10-2013

I have a need to accept data from multiple servers.

WIll something like this work?

[tcp://192.168.1.0\/24:9999]

If not, would specifying multiple stanza that listen on the same port number work? For example:

[tcp://192.168.1.1:9999]
[tcp://192.168.1.2:9999]
[tcp://192.168.1.3:9999]

the_wolverine · ‎12-05-2015

In version 5.0* and higher, there is an acceptFrom option which will allow/deny specific hosts/ips. The solution is to upgrade to version 5.0x forwarder or newer to apply this configuration to the input.

View solution in original post

the_wolverine · ‎12-05-2015

In version 5.0* and higher, there is an acceptFrom option which will allow/deny specific hosts/ips. The solution is to upgrade to version 5.0x forwarder or newer to apply this configuration to the input.

mloven_splunk · ‎07-11-2013

I think you're going to have to go with a stanza per host that you're expecting traffic from.

mloven_splunk · ‎07-10-2013

the_wolverine,

I don't think Splunk will accept CIDR notation (or a wildcard) in a tcp input stanza. The second option you listed should work though.

Also, if you don't expect any other traffic on port 9999, you can also just do:

[tcp//:9999]

which will accept data from any host on port 9999.

the_wolverine · ‎07-11-2013

We currently use this accept all on port 9999 and have gotten some junk (perhaps scanning). That's why we need to lock it down. In 5.0x the capability to configure is better.

Will inputs.conf tcp input stanza accept CIDR notation or REGEX? (forwarder version 4.3.6)

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases