topic Re: How does the indexer forward data to itself? in Getting Data In

How does the indexer forward data to itself?

benbabich — Fri, 02 Feb 2018 16:39:43 GMT

I want to blacklist some events that the Splunk server is sending to itself but my indexer isn't even running the SplunkForwarder Service and the inputs.conf file that I'd edit on my other servers doesn't effect what it's sending to itself.
Does it use an inputs.conf file in a different location?
Also, since it's not running the SplunkForwarder Service, what do I restart (if anything) after I edit the correct inputs.conf? Do I have to restart the Splunkd Service (ie: splunk itself)?

Re: How does the indexer forward data to itself?

somesoni2 — Fri, 02 Feb 2018 18:51:12 GMT

Splunk Indexer would have Splunk Enterprise version/product installed on it which would have full capabilities of Splunk including indexing and monitoring. The service name would be splunkd and it should be restarted when you make changes to inputs.conf. Side question, do you have indexer cluster OR use deployment server to deployment configs?

Re: How does the indexer forward data to itself?

benbabich — Tue, 06 Feb 2018 16:04:18 GMT

Its not a cluster. And I do not use a separate deployment server, I use the same server for that.

Re: How does the indexer forward data to itself?

somesoni2 — Tue, 06 Feb 2018 16:20:06 GMT

Ok.. than for local monitoring on your indexer server itself, you need to restart splunkd service after you make the change.

Re: How does the indexer forward data to itself?

gcusello — Tue, 06 Feb 2018 16:25:21 GMT

Hi benbabich,
which events do you want to blacklist? internal events?
if internal events, remember that they aren't in the license consuption.
Anyway, You can filter them in $SPLUNK_HOME/etc/system/local

Bye.
Giuseppe

Re: How does the indexer forward data to itself?

benbabich — Tue, 06 Feb 2018 18:23:04 GMT

I turned on auditing for .exe's so I can see psexec usage on servers. So I'm looking for some 4688 events (in windows security logs).I block most but I want to see the following:
whitelist2 = EventCode="4688" Message="(?:New Process Name:).+(?:cmd.exe)"
whitelist3 = EventCode="4688" Message="(?:New Process Name:).+(?:cscript.exe)"
whitelist4 = EventCode="4688" Message="(?:New Process Name:).+(?:wscript.exe)"
whitelist5 = EventCode="4688" Message="(?:New Process Name:).+(?:PsExec.exe)"
whitelist6 = EventCode="4688" Message="(?:Process Command Line:).+(?:cscript.exe?)"

It works on my servers but my Splunk indexer server now reports EVERY 4688 event (any .exe that is opened which is 100+ a minute) and I've added
blacklist1 = EventCode="4688"
to every inputs.conf file I can find on the server (including $SPLUNK_HOME/etc/system/local) and I can't get it to stop reporting 4688 events. I could just use host!=[servername] in a search head to not see those results but I'd rather just find a way to stop it entirely.