https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-stop-ingesting-from-1-of-4-firewalls/m-p/588751#M10662 <P>I need to stop ingesting from 1 of 4 of my firewalls.&nbsp;</P><P>The path of our architecture is&nbsp; firewalls &gt;&gt;&gt;syslog&gt;&gt;&gt;&gt;deployment server&gt;&gt;indexer cluster&gt;&gt;&gt;&gt;search head</P><P>I have tried commenting them out under deployment apps (inputs.conf ) in the deployment server, but&nbsp; I am still seeing ingestion from that firewall.&nbsp;</P><P>Any help is appreciated!&nbsp;</P> Fri, 11 Mar 2022 15:30:04 GMT sandyvaldez 2022-03-11T15:30:04Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-stop-ingesting-from-1-of-4-firewalls/m-p/588751#M10662 <P>I need to stop ingesting from 1 of 4 of my firewalls.&nbsp;</P><P>The path of our architecture is&nbsp; firewalls &gt;&gt;&gt;syslog&gt;&gt;&gt;&gt;deployment server&gt;&gt;indexer cluster&gt;&gt;&gt;&gt;search head</P><P>I have tried commenting them out under deployment apps (inputs.conf ) in the deployment server, but&nbsp; I am still seeing ingestion from that firewall.&nbsp;</P><P>Any help is appreciated!&nbsp;</P> Fri, 11 Mar 2022 15:30:04 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-stop-ingesting-from-1-of-4-firewalls/m-p/588751#M10662 sandyvaldez 2022-03-11T15:30:04Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-stop-ingesting-from-1-of-4-firewalls/m-p/588761#M10663 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/243540">@sandyvaldez</a>&nbsp;</P><P>are you sure its syslog &gt;&gt;deployment server&nbsp;</P><P>usually its&nbsp; syslog&gt;&gt; HF &gt;&gt;indexer cluster&nbsp;<BR /><BR /></P><P>i guess you are missing a HF component and its where you were probably should be looking</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 11 Mar 2022 16:02:27 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-stop-ingesting-from-1-of-4-firewalls/m-p/588761#M10663 venky1544 2022-03-11T16:02:27Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-stop-ingesting-from-1-of-4-firewalls/m-p/588776#M10664 <P>Hi and Thanks for your insight. See below.&nbsp;</P><P>&nbsp;</P><P>This is the exact architecture. This was created before I came onboard. Do you know where I would need to remove or comment out this firewall?</P> Mon, 14 Mar 2022 15:57:19 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-stop-ingesting-from-1-of-4-firewalls/m-p/588776#M10664 sandyvaldez 2022-03-14T15:57:19Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-stop-ingesting-from-1-of-4-firewalls/m-p/588816#M10665 <P>If your firewalls are sending data to Splunk via syslog (which means Splunk is "receiving" the data from firewall and not "pulling/fetching" it), then best way would be to turn off syslog sending on the firewall appliance from which you don't want data to come.&nbsp;</P><P>Other option would be to "ignore" the incoming data from that 1 firewall. (I would go this route if I can't do first approach). You'll have to look at your Syslog server (splunklogs01) and find the data input which is monitoring syslog data files from that firewall and find a way to turn it off (either commenting the monitoring of that firewall related file if there is a separate file monitoring setup for each firewall OR adding blacklist attribute if a single monitoring stanza is used).</P><P>If they all log into same log file, then you'd have to filter the data and drop those events from being indexed.&nbsp; This filtering would be setup on your indexers. You can find filtering configurations here:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.5/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.5/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A></P> Fri, 11 Mar 2022 20:38:43 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-stop-ingesting-from-1-of-4-firewalls/m-p/588816#M10665 somesoni2 2022-03-11T20:38:43Z