https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141310#M28952 <P>Then I would really suggest fw rule, preferably on the network, but local will also work. Perhaps you should also look at the </P> <P><CODE>acceptFrom = &lt;network_acl&gt;</CODE></P> <P>setting in inputs.conf where you define the forwarder connections (splunktcp:9997, or whatever port you're already listening to). From the docs on inputs.conf:</P> <P><CODE>Entries can also be prefixed with '!' to cause the rule to reject the connection. Rules are applied in order, and the first one to match is used. For example, "!10.1/16, *" will allow connections from everywhere except the 10.1.*.* network.</CODE></P> Fri, 07 Feb 2014 16:57:17 GMT kristian_kolb 2014-02-07T16:57:17Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141304#M28946 <P>I have a 250 forwarders in my environment. I have one server that no one can reach a solution on due to low priority. The box is killing my indexer with storage errors. I have no control over uninstalling the forwarder.</P> <P>I would like to blacklist this forwarder. Is this something that can be done and how?</P> Wed, 22 Mar 2023 15:34:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141304#M28946 mad4wknds 2023-03-22T15:34:55Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141305#M28947 <P>What version of splunk on the indexer?</P> Fri, 07 Feb 2014 00:32:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141305#M28947 lukejadamec 2014-02-07T00:32:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141306#M28948 <P>One thing that you can do immediately is to set up a regex transform on your indexer to remove the unwanted data. The example below will re-route <EM>all</EM> data from that host to the trash can.</P> <P>props.conf</P> <PRE><CODE>[host::your_host] TRANSFORMS-remove_stuff = setnull </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>NB: you can make a more selective filtering by writing a more specific regex, so that you actually get to keep those events that you like.</P> <P>Read more here;</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Anonymizedatausingconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Anonymizedatausingconfigurationfiles</A></P> <P>/k</P> Fri, 07 Feb 2014 00:38:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141306#M28948 kristian_kolb 2014-02-07T00:38:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141307#M28949 <P>You could try something like this. I'm pretty sure it will also drop <CODE>_internal</CODE> logs because it is filtering by host. Put these stanzas in the files on the indexer in <CODE>splunk\etc\system\local</CODE>, and restart Splunk. This will only affect new events.</P> <P>props.conf</P> <PRE><CODE>[host::hostname] TRANSFORMS-drop = drop_event transforms.conf </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[drop_event] REGEX = . DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Fri, 07 Feb 2014 00:40:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141307#M28949 lukejadamec 2014-02-07T00:40:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141308#M28950 <P>Works great for the "Queue" but I need a total blackout meaning that it is still and blocking other queues.</P> <P>Thanks for the response.</P> Fri, 07 Feb 2014 16:29:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141308#M28950 mad4wknds 2014-02-07T16:29:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141309#M28951 <P>Not sure I understand. This should drop everything from the host. What is still getting indexed?</P> Fri, 07 Feb 2014 16:56:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141309#M28951 lukejadamec 2014-02-07T16:56:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141310#M28952 <P>Then I would really suggest fw rule, preferably on the network, but local will also work. Perhaps you should also look at the </P> <P><CODE>acceptFrom = &lt;network_acl&gt;</CODE></P> <P>setting in inputs.conf where you define the forwarder connections (splunktcp:9997, or whatever port you're already listening to). From the docs on inputs.conf:</P> <P><CODE>Entries can also be prefixed with '!' to cause the rule to reject the connection. Rules are applied in order, and the first one to match is used. For example, "!10.1/16, *" will allow connections from everywhere except the 10.1.*.* network.</CODE></P> Fri, 07 Feb 2014 16:57:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141310#M28952 kristian_kolb 2014-02-07T16:57:17Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141311#M28953 <P>lukejadamec, well, regex transforms take place after linebreaking, timestamping etc, so if there is <EM>really</EM> a lot of crap coming from the evil forwarder, it could affect the event processing... I guess.</P> Fri, 07 Feb 2014 16:59:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141311#M28953 kristian_kolb 2014-02-07T16:59:36Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141312#M28954 <P>Thank you kristian.kolb the "acceptFrom" is the answer I was really looking for.</P> <P>Thanks again</P> Fri, 07 Feb 2014 17:09:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141312#M28954 mad4wknds 2014-02-07T17:09:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141313#M28955 <P>You could deny all incoming connections from that host like this:</P> <PRE><CODE>iptables -A INPUT -s 1.2.3.4 -j DROP </CODE></PRE> <P>That's fairly invasive though, talk to your system or network administrators first.</P> Fri, 07 Feb 2014 17:12:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141313#M28955 martin_mueller 2014-02-07T17:12:09Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141314#M28956 <P>Kristian -- I just wanted to thank you for your suggestion to use acceptFrom in inputs.conf. It was the only thing that finally worked for me to shut down traffic from some "rogue" forwarders. Sending things to nullQueue via props.conf and transforms.conf has worked for me for other things, but I couldn't find any combination that would work for this. Thanks again.</P> Wed, 04 Mar 2015 17:02:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/141314#M28956 teedilo 2015-03-04T17:02:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/635506#M108738 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6332">@kristian_kolb</a>, If I create this in a specific app called e.g twistlock_parsing to remove events coming from host 127.0.0.1 only within a specific index e.g azure_twistlock - will this drop all events across all indexes containing that ip? I only want that IP address dropped in index azure_twistlock. I have already tried the solution from this page:&nbsp;<A href="https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-host-hosts-is-sending-logs-to-Splunk-via-TCP/m-p/289283" target="_blank" rel="noopener">https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-host-hosts-is-sending-logs-to-Splunk-via-TCP/m-p/289283</A>&nbsp;and it didn't work</P> Wed, 22 Mar 2023 14:56:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-forwarder/m-p/635506#M108738 Tinza 2023-03-22T14:56:02Z