Hi, I would like to configure my inputs.conf with udp on port 514.
My query is can I add multiple ipaddress in the remote_server field as I want to receive the data from a particular set of ipaddresses.
No you can't specify multiple IP address in udp stanza in inputs.conf
But you can do below configuration to restrict your UDP port to accept traffic from certain IP addresses.
[udp://514] acceptFrom = 10.10.0.1, 10.20.0.1, ....., 10.100.0.1
From Splunk doc
acceptFrom = <network_acl> ... * Lists a set of networks or IP addresses from which to accept connections. * Specify multiple rules with commas or spaces. * Each rule can be in the following forms: 1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3") 2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32") 3. A DNS name, possibly with a "*"" used as a wildcard (examples: "myhost.example.com", "*.splunk.com") 4. "*", which matches anything. * You can also prefix an entry with '!' to cause the rule to reject the connection. The input applies rules in order, and uses the first one that matches. For example, "!10.1/16, *" allows connections from everywhere except the 10.1.*.* network. * Default: "*" (accept from anywhere)
Hi, I have a range of ipaddresses like, 10.21.100.1, 10.21.100.2, 10.21.100.3, 10.21.100.4, 10.21.100.5....10.21.100.15.
So, how can I pass these values to acceptFrom field. Is there a shorter way other than mentioning all the ipaddresses specifically.
Can I just mention as 10.21.100.1/15 (CIDR block method)..
As you have 15 IP addresses which doesn't fix under single CIDR block so you can try something like this, I am not sure whether combination of CIDR and IP address will work or not but you can give it try.
acceptFrom = 10.21.100.0/28, 10.21.100.15
How CIDR calculates IP ranges then try to google Subnet calculation and you will able to figure out what is the meaning of