topic Re: Block Specific host/ip on indexer in Getting Data In

Block Specific host/ip on indexer

kpavan — Thu, 11 Sep 2014 05:27:58 GMT

Hi,

I want to block the specific host/ip which sending logs to indexers for a time being later would need to enable to again. Is there a way to block on indexer level and how?

Thanks!

Re: Block Specific host/ip on indexer

kristian_kolb — Thu, 11 Sep 2014 05:45:03 GMT

You should probably take a look at the documentation for inputs.conf:

acceptFrom = <network_acl> ...
* Lists a set of networks or addresses to accept connections from.  These rules are separated by commas or spaces
* Each rule can be in the following forms:
*   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
*   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
*   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
*   4. A single '*' which matches anything
* Entries can also be prefixed with '!' to cause the rule to reject the
  connection.  Rules are applied in order, and the first one to match is
  used.  For example, "!10.1/16, *" will allow connections from everywhere
  except the 10.1.*.* network.
* Defaults to "*" (accept from anywhere)

Re: Block Specific host/ip on indexer

kpavan — Thu, 11 Sep 2014 06:55:09 GMT

Thanks for your quick respose!

I have tried the acceptForm for one IP and its worked. Now i have curious to know if we have different range of ip address or different DNS names how could we achieve using the acceptForm.

like:

10.1.2.3
192.1.2.2
172.1.1.2

Thanks!

Re: Block Specific host/ip on indexer

kristian_kolb — Thu, 11 Sep 2014 07:13:03 GMT

Not that I have tried it, but - as it says in the docs;

* Lists a set of networks or addresses to accept connections from. These rules are separated by commas or spaces

From that statement I would guess something like this should work for blocking more than one host:

acceptFrom = !10.1.2.3, !192.168.1.0/24, !*.test.domain.com

Re: Block Specific host/ip on indexer

timmy13 — Wed, 11 Mar 2015 13:57:51 GMT

I have the following....

[tcp]
acceptFrom = !txindex1, *

on my indexer, yet I am still getting traffic recorded from the host txindex1. Any ideas?

Re: Block Specific host/ip on indexer

DennisFFM — Fri, 03 Jun 2016 12:03:25 GMT

Maybe delete the wildcard.
As far as I know !txindex1 only blocks this one host and every other is allowed.
So the wildcard(*) ist not needed.

Re: Block Specific host/ip on indexer

Michael — Wed, 05 Apr 2017 12:55:32 GMT

But the cryptic documentation shows the * in there... I wish they would at show an example. I can't get it to work either, and again "from the documentation" it's unclear to be if there should be "quotes" around the arguments...

Re: Block Specific host/ip on indexer

azurite — Wed, 09 Aug 2017 14:02:38 GMT

I also think the document needs clarity. Based on the documentation appears, " is used for logical argument breaks:

A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3") 
A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
For example, "!10.1/16, *" will allow connections from everywhere  except the 10.1.*.* network.

However, it does not behave this way...

Examples:  acceptFrom = 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4 
Only allows connection from 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4

Example: acceptFrom = "10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4"
Does not allow connections from 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4

Example: acceptFrom = "10.1.1.1", "10.1.1.2", "10.1.1.3", "10.1.1.4"
Does not allow connections from 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4

I am using Splunk Enterprise 6.6.2 and have the rare opportunity to build from scratch in AWS, thus allow me test the settings thoroughly...