<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: UDP input acceptFrom overriding the catchall in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/UDP-input-acceptFrom-overriding-the-catchall/m-p/659040#M111448</link>
    <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/261003"&gt;@hiersdd&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;my first hint is to use a syslogs server like rsyslog or syslog-ng so it receives syslogs also when Splunk is down.&lt;/P&gt;&lt;P&gt;You could also use the SC4S (&lt;A href="https://splunkbase.splunk.com/app/4740" target="_blank"&gt;https://splunkbase.splunk.com/app/4740&lt;/A&gt;) that's a syslog-ng and a Universal forwarder.&lt;/P&gt;&lt;P&gt;In this way you can easily manage inputs.&lt;/P&gt;&lt;P&gt;Anyway, did you tried to use an inpul like the following?&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[udp://192.168.2.*:514]
connection_host = ip
index = checkpoint
sourcetype = syslog&lt;/LI-CODE&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
    <pubDate>Fri, 29 Sep 2023 06:34:13 GMT</pubDate>
    <dc:creator>gcusello</dc:creator>
    <dc:date>2023-09-29T06:34:13Z</dc:date>
    <item>
      <title>UDP input acceptFrom overriding the catchall</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/UDP-input-acceptFrom-overriding-the-catchall/m-p/658973#M111442</link>
      <description>&lt;P&gt;I have a generic catchall for syslog traffic that is breaking when i try and use an acceptFrom for a subnet.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;--- Generic Catchall ----&lt;/P&gt;&lt;P&gt;[udp://514]&lt;/P&gt;&lt;P&gt;connection_host = ip&lt;/P&gt;&lt;P&gt;index = syslog&lt;/P&gt;&lt;P&gt;sourcetype = syslog&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The catch all functions correctly when using a single specific IP going to specified index :&lt;/P&gt;&lt;P&gt;[udp://192.168.1.1:514]&lt;/P&gt;&lt;P&gt;host = srv-lb-2&lt;/P&gt;&lt;P&gt;connection_host = none&lt;/P&gt;&lt;P&gt;index = a10&lt;/P&gt;&lt;P&gt;sourcetype = syslog&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;But if I try and add a new UDP input to capture a full /24 to shove it in a separate index, that overrides/disables the generic input from the first one. I do see messages in the checkpoint index however the&amp;nbsp;[udp://514] from the first block stops.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P class=""&gt;&lt;SPAN class=""&gt;[udp://514]&lt;/SPAN&gt;&lt;/P&gt;&lt;P class=""&gt;&lt;SPAN class=""&gt;acceptFrom = 192.168.2.0/24&lt;/SPAN&gt;&lt;/P&gt;&lt;P class=""&gt;&lt;SPAN class=""&gt;connection_host = ip&lt;/SPAN&gt;&lt;/P&gt;&lt;P class=""&gt;&lt;SPAN class=""&gt;index = checkpoint&lt;/SPAN&gt;&lt;/P&gt;&lt;P class=""&gt;&lt;SPAN class=""&gt;sourcetype = syslog&lt;/SPAN&gt;&lt;/P&gt;&lt;P class=""&gt;&amp;nbsp;&lt;/P&gt;&lt;P class=""&gt;&lt;SPAN class=""&gt;Anyone know how to do this in a way that works please??&lt;/SPAN&gt;&lt;/P&gt;&lt;P class=""&gt;&lt;SPAN class=""&gt;Thanks!&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 28 Sep 2023 15:47:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/UDP-input-acceptFrom-overriding-the-catchall/m-p/658973#M111442</guid>
      <dc:creator>hiersdd</dc:creator>
      <dc:date>2023-09-28T15:47:19Z</dc:date>
    </item>
    <item>
      <title>Re: UDP input acceptFrom overriding the catchall</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/UDP-input-acceptFrom-overriding-the-catchall/m-p/658976#M111443</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/261003"&gt;@hiersdd&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;are you working by GUI or conf files?&lt;/P&gt;&lt;P&gt;by GUI it isn't possible to configure two inputs with the same protocol and port.&lt;/P&gt;&lt;P&gt;If you need to configure more inputs using the same protocol and port but having different sources, you have to do this only by conf file.&lt;/P&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Thu, 28 Sep 2023 16:15:27 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/UDP-input-acceptFrom-overriding-the-catchall/m-p/658976#M111443</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2023-09-28T16:15:27Z</dc:date>
    </item>
    <item>
      <title>Re: UDP input acceptFrom overriding the catchall</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/UDP-input-acceptFrom-overriding-the-catchall/m-p/659003#M111446</link>
      <description>&lt;P&gt;Nope, I am using inputs.conf.&lt;/P&gt;</description>
      <pubDate>Thu, 28 Sep 2023 19:37:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/UDP-input-acceptFrom-overriding-the-catchall/m-p/659003#M111446</guid>
      <dc:creator>hiersdd</dc:creator>
      <dc:date>2023-09-28T19:37:57Z</dc:date>
    </item>
    <item>
      <title>Re: UDP input acceptFrom overriding the catchall</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/UDP-input-acceptFrom-overriding-the-catchall/m-p/659040#M111448</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/261003"&gt;@hiersdd&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;my first hint is to use a syslogs server like rsyslog or syslog-ng so it receives syslogs also when Splunk is down.&lt;/P&gt;&lt;P&gt;You could also use the SC4S (&lt;A href="https://splunkbase.splunk.com/app/4740" target="_blank"&gt;https://splunkbase.splunk.com/app/4740&lt;/A&gt;) that's a syslog-ng and a Universal forwarder.&lt;/P&gt;&lt;P&gt;In this way you can easily manage inputs.&lt;/P&gt;&lt;P&gt;Anyway, did you tried to use an inpul like the following?&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[udp://192.168.2.*:514]
connection_host = ip
index = checkpoint
sourcetype = syslog&lt;/LI-CODE&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Fri, 29 Sep 2023 06:34:13 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/UDP-input-acceptFrom-overriding-the-catchall/m-p/659040#M111448</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2023-09-29T06:34:13Z</dc:date>
    </item>
    <item>
      <title>Re: UDP input acceptFrom overriding the catchall</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/UDP-input-acceptFrom-overriding-the-catchall/m-p/665949#M111801</link>
      <description>&lt;P&gt;Thanks for the suggestion, I do admit and agree that the easiest and best option at this point is to just take the syslog-ng route but I was trying to figure out how to do this natively Splunk if possible.&amp;nbsp; It does not seem like the IP wildcard works in a TCP/UDP stanza, at least not in my 9.X UF:&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;ie this did not work:&lt;/P&gt;&lt;PRE&gt;[udp://192.168.2.*:514]
connection_host = ip
index = checkpoint
sourcetype = syslog&lt;/PRE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Additionally, I think I have figured out that the problem with using the acceptFrom as I originally showed was that Splunk will only process the first stanza of any particular PORT so there can't be a "fall back to the catchall" type logic if you are only using [udp://514] or [tcp://514]. You CAN have a generic port stanza and an IP specific stanza and that arrangement will be honored ie:&amp;nbsp;&lt;/P&gt;&lt;P&gt;[udp://192.168.1.1:514]&lt;/P&gt;&lt;P&gt;index=singularDeviceIndex&lt;/P&gt;&lt;P&gt;[udp://514]&lt;/P&gt;&lt;P&gt;index=catchallDeviceIndex&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;But I can't figure out how to make this work (or it just can't be done):&lt;/P&gt;&lt;P&gt;[udp://514]&lt;/P&gt;&lt;P&gt;acceptFrom=192.168.1.0/24&lt;/P&gt;&lt;P&gt;index=WhateversInThatSubnetOnly&lt;/P&gt;&lt;P&gt;[udp://514]&lt;/P&gt;&lt;P&gt;index=AnythingAndEverythingElse&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 24 Oct 2023 01:34:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/UDP-input-acceptFrom-overriding-the-catchall/m-p/665949#M111801</guid>
      <dc:creator>hiersdd</dc:creator>
      <dc:date>2023-10-24T01:34:44Z</dc:date>
    </item>
  </channel>
</rss>

