Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Configuring udp with multiple ipaddress

santosh_hb
Explorer
‎04-08-2019 03:01 AM

Hi, I would like to configure my inputs.conf with udp on port 514.
Like below:

udp://[remote_server]:[port_number]

My query is can I add multiple ipaddress in the remote_server field as I want to receive the data from a particular set of ipaddresses.

regards,
Santosh

Tags (1)
0 Karma
Reply

harsmarvania57
SplunkTrust
SplunkTrust
‎04-08-2019 03:15 AM

Hi,

No you can't specify multiple IP address in udp stanza in inputs.conf

But you can do below configuration to restrict your UDP port to accept traffic from certain IP addresses.

inputs.conf

[udp://514]
acceptFrom = 10.10.0.1, 10.20.0.1, ....., 10.100.0.1

From Splunk doc

acceptFrom = <network_acl> ...
* Lists a set of networks or IP addresses from which to accept connections.
* Specify multiple rules with commas or spaces.
* Each rule can be in the following forms:
    1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
    2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
    3. A DNS name, possibly with a "*"" used as a wildcard (examples:
       "myhost.example.com", "*.splunk.com")
    4. "*", which matches anything.
* You can also prefix an entry with '!' to cause the rule to reject the
  connection. The input applies rules in order, and uses the first one that
  matches.
  For example, "!10.1/16, *" allows connections from everywhere except
  the 10.1.*.* network.
* Default: "*" (accept from anywhere)

NOTE:

  1. Please keep in mind that if you are running your splunk instance as non-root user then you can't occupy port less than 1024 on Linux servers, only root user can occupy port less than 1024 on Linux.
  2. I'll suggest to use syslog to accept traffic from network, security or any other devices which will send data over syslog. If you will receive syslog traffic directly on splunk then during splunk restart you will lose data however with syslog like rsyslog or syslog-ng it will write data to file on disk and Splunk UF can monitor that log file and due to that you will not lose data.
Reply

santosh_hb
Explorer
‎04-09-2019 01:07 AM

Hi, I have a range of ipaddresses like, 10.21.100.1, 10.21.100.2, 10.21.100.3, 10.21.100.4, 10.21.100.5....10.21.100.15.
So, how can I pass these values to acceptFrom field. Is there a shorter way other than mentioning all the ipaddresses specifically.
Can I just mention as 10.21.100.1/15 (CIDR block method)..

0 Karma
Reply

harsmarvania57
SplunkTrust
SplunkTrust
‎04-09-2019 08:59 AM

As you have 15 IP addresses which doesn't fix under single CIDR block so you can try something like this, I am not sure whether combination of CIDR and IP address will work or not but you can give it try.

acceptFrom = 10.21.100.0/28, 10.21.100.15

How CIDR calculates IP ranges then try to google Subnet calculation and you will able to figure out what is the meaning of 10.21.100.0/28

0 Karma
Reply

santosh_hb
Explorer
‎04-15-2019 02:51 AM

Thanks for details. I tried the same way.Its working

0 Karma
Reply

santosh_hb
Explorer
‎04-08-2019 10:09 PM

Hi Harshil, Thanks for the reply. I will check this flow. regards, Santosh

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...