<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How do we find users who installed forwarders without permission and also restrict unauthorized forwarders in the future? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-do-we-find-users-who-installed-forwarders-without-permission/m-p/177298#M35525</link>
    <description>&lt;P&gt;On the indexers, in the inputs.conf that specifies the listening port, set a default splunktcp stanza that lists the allowed forwarders. Example:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[splunktcp]
acceptFrom = 10.1.1.2,10.3.1.*
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;In the acceptFrom, you can list the allowed forwarders by IP address, DNS name, etc. You can use wildcards as well. More information in the Admin manual on &lt;A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/Inputsconf"&gt;inputs.conf&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;This will stop the incoming data from unauthorized forwarders. You can search the _internal index to see where the data has come from in the past. Here is a very simple search that lists forwarders and how much data has come from each:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=coalesce(sourceHost,hostname)
| fields sourceHost kb 
| timechart sum(kb) AS kb_forwarded by sourceHost
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Fri, 26 Jun 2015 08:03:03 GMT</pubDate>
    <dc:creator>lguinn2</dc:creator>
    <dc:date>2015-06-26T08:03:03Z</dc:date>
    <item>
      <title>How do we find users who installed forwarders without permission and also restrict unauthorized forwarders in the future?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-we-find-users-who-installed-forwarders-without-permission/m-p/177297#M35524</link>
      <description>&lt;P&gt;In my Company we have a particulate team who works on Splunk and a few users had installed the Forwarder without us knowing. How do we find those users and, in future, how to restrict users from doing this again?&lt;/P&gt;</description>
      <pubDate>Fri, 26 Jun 2015 07:50:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-we-find-users-who-installed-forwarders-without-permission/m-p/177297#M35524</guid>
      <dc:creator>yu94</dc:creator>
      <dc:date>2015-06-26T07:50:17Z</dc:date>
    </item>
    <item>
      <title>Re: How do we find users who installed forwarders without permission and also restrict unauthorized forwarders in the future?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-we-find-users-who-installed-forwarders-without-permission/m-p/177298#M35525</link>
      <description>&lt;P&gt;On the indexers, in the inputs.conf that specifies the listening port, set a default splunktcp stanza that lists the allowed forwarders. Example:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[splunktcp]
acceptFrom = 10.1.1.2,10.3.1.*
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;In the acceptFrom, you can list the allowed forwarders by IP address, DNS name, etc. You can use wildcards as well. More information in the Admin manual on &lt;A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/Inputsconf"&gt;inputs.conf&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;This will stop the incoming data from unauthorized forwarders. You can search the _internal index to see where the data has come from in the past. Here is a very simple search that lists forwarders and how much data has come from each:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=coalesce(sourceHost,hostname)
| fields sourceHost kb 
| timechart sum(kb) AS kb_forwarded by sourceHost
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Fri, 26 Jun 2015 08:03:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-we-find-users-who-installed-forwarders-without-permission/m-p/177298#M35525</guid>
      <dc:creator>lguinn2</dc:creator>
      <dc:date>2015-06-26T08:03:03Z</dc:date>
    </item>
    <item>
      <title>Re: How do we find users who installed forwarders without permission and also restrict unauthorized forwarders in the future?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-we-find-users-who-installed-forwarders-without-permission/m-p/177299#M35526</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;You can do this by going in inputs.conf on the indexer, you can either configure the splunktcp input to only accept from a specific IP address. That is not as useful, so you can also use the acceptFrom parameter to provide a list of network address ranges. See the docs for inputs.conf.&lt;/P&gt;

&lt;P&gt;You can also use SSL and require a client certificate. If you do this, then any client must present a certificate that is signed by a specified certificate authority.&lt;/P&gt;</description>
      <pubDate>Fri, 26 Jun 2015 08:09:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-we-find-users-who-installed-forwarders-without-permission/m-p/177299#M35526</guid>
      <dc:creator>ngatchasandra</dc:creator>
      <dc:date>2015-06-26T08:09:20Z</dc:date>
    </item>
  </channel>
</rss>

