https://community.splunk.com/t5/Installation/Reduce-specific-logging/m-p/288584#M7689 <P>Why don't you manually <CODE>null-route</CODE> the attacking host's IP on the attacked device so it can no longer attempt to connect? Then the failed logins do not happen. For that matter, why is this kind of mitigation not automatically in place in your network (e.g. <CODE>fail2ban</CODE> or whatever)? Remove it when the proper configuration is in place.</P> <P><A href="https://en.wikipedia.org/wiki/Null_route">https://en.wikipedia.org/wiki/Null_route</A><BR /> P.S. I know that this is not an "attack".</P> Tue, 04 Jul 2017 15:12:34 GMT woodcock 2017-07-04T15:12:34Z https://community.splunk.com/t5/Installation/Reduce-specific-logging/m-p/288580#M7685 <P>When there's a huge influx of incoming logging of blocked attempts on the firewall from one specific (external) source, is it possible to (temporarily) decrease/disable the amount of logging being received from this specific source so it doesn't flood our license when it's a known issue? </P> <P>Thanks in advance for the response</P> Tue, 04 Jul 2017 09:42:38 GMT https://community.splunk.com/t5/Installation/Reduce-specific-logging/m-p/288580#M7685 mmoermans 2017-07-04T09:42:38Z https://community.splunk.com/t5/Installation/Reduce-specific-logging/m-p/288581#M7686 <P>Hi mmoermans,<BR /> it's possible to create a filter but the problem is that you have to restart Splunk to enable it.<BR /> At this point it's easier to stop log forwarding from your firewall and restart it after the tempest. <BR /> Bye.<BR /> Giuseppe</P> Tue, 04 Jul 2017 14:53:43 GMT https://community.splunk.com/t5/Installation/Reduce-specific-logging/m-p/288581#M7686 gcusello 2017-07-04T14:53:43Z https://community.splunk.com/t5/Installation/Reduce-specific-logging/m-p/288582#M7687 <P>hello there, <BR /> i am not aware of anything "out of the box" that splunk has for that situation, if there is, would love to learn about it. <BR /> With that being said, one thing i can think of is setting an alert on your condition,<BR /> add trigger a script to that alert and have the script writing props and transforms that sending the unwanted data to nullqueue. Challenge here is how you reset back to your original configurations. maybe the script will also have a timer to reset after X amount of time.<BR /> there are other challenges with that approach, specially if this is a clustered environment.<BR /> hope it slightly helps</P> Tue, 04 Jul 2017 15:03:09 GMT https://community.splunk.com/t5/Installation/Reduce-specific-logging/m-p/288582#M7687 adonio 2017-07-04T15:03:09Z https://community.splunk.com/t5/Installation/Reduce-specific-logging/m-p/288583#M7688 <P>The only practical way is to stop splunk on that forwarder (host).</P> Tue, 04 Jul 2017 15:08:54 GMT https://community.splunk.com/t5/Installation/Reduce-specific-logging/m-p/288583#M7688 woodcock 2017-07-04T15:08:54Z https://community.splunk.com/t5/Installation/Reduce-specific-logging/m-p/288584#M7689 <P>Why don't you manually <CODE>null-route</CODE> the attacking host's IP on the attacked device so it can no longer attempt to connect? Then the failed logins do not happen. For that matter, why is this kind of mitigation not automatically in place in your network (e.g. <CODE>fail2ban</CODE> or whatever)? Remove it when the proper configuration is in place.</P> <P><A href="https://en.wikipedia.org/wiki/Null_route">https://en.wikipedia.org/wiki/Null_route</A><BR /> P.S. I know that this is not an "attack".</P> Tue, 04 Jul 2017 15:12:34 GMT https://community.splunk.com/t5/Installation/Reduce-specific-logging/m-p/288584#M7689 woodcock 2017-07-04T15:12:34Z https://community.splunk.com/t5/Installation/Reduce-specific-logging/m-p/288585#M7690 <P>The<CODE>splunky</CODE> way to do this now is with <CODE>Phantom</CODE>-based automation.</P> Fri, 08 Nov 2019 15:10:20 GMT https://community.splunk.com/t5/Installation/Reduce-specific-logging/m-p/288585#M7690 woodcock 2019-11-08T15:10:20Z