Archive
Highlighted

Configuring udp with multiple ipaddress

Explorer

Hi, I would like to configure my inputs.conf with udp on port 514.
Like below:

udp://[remoteserver]:[portnumber]

My query is can I add multiple ipaddress in the remote_server field as I want to receive the data from a particular set of ipaddresses.

regards,
Santosh

Tags (1)
0 Karma
Highlighted

Re: Configuring udp with multiple ipaddress

SplunkTrust
SplunkTrust

Hi,

No you can't specify multiple IP address in udp stanza in inputs.conf

But you can do below configuration to restrict your UDP port to accept traffic from certain IP addresses.

inputs.conf

[udp://514]
acceptFrom = 10.10.0.1, 10.20.0.1, ....., 10.100.0.1

From Splunk doc

acceptFrom = <network_acl> ...
* Lists a set of networks or IP addresses from which to accept connections.
* Specify multiple rules with commas or spaces.
* Each rule can be in the following forms:
    1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
    2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
    3. A DNS name, possibly with a "*"" used as a wildcard (examples:
       "myhost.example.com", "*.splunk.com")
    4. "*", which matches anything.
* You can also prefix an entry with '!' to cause the rule to reject the
  connection. The input applies rules in order, and uses the first one that
  matches.
  For example, "!10.1/16, *" allows connections from everywhere except
  the 10.1.*.* network.
* Default: "*" (accept from anywhere)

NOTE:

  1. Please keep in mind that if you are running your splunk instance as non-root user then you can't occupy port less than 1024 on Linux servers, only root user can occupy port less than 1024 on Linux.
  2. I'll suggest to use syslog to accept traffic from network, security or any other devices which will send data over syslog. If you will receive syslog traffic directly on splunk then during splunk restart you will lose data however with syslog like rsyslog or syslog-ng it will write data to file on disk and Splunk UF can monitor that log file and due to that you will not lose data.
Highlighted

Re: Configuring udp with multiple ipaddress

Explorer

Hi Harshil, Thanks for the reply. I will check this flow. regards, Santosh

0 Karma
Highlighted

Re: Configuring udp with multiple ipaddress

Explorer

Hi, I have a range of ipaddresses like, 10.21.100.1, 10.21.100.2, 10.21.100.3, 10.21.100.4, 10.21.100.5....10.21.100.15.
So, how can I pass these values to acceptFrom field. Is there a shorter way other than mentioning all the ipaddresses specifically.
Can I just mention as 10.21.100.1/15 (CIDR block method)..

0 Karma
Highlighted

Re: Configuring udp with multiple ipaddress

SplunkTrust
SplunkTrust

As you have 15 IP addresses which doesn't fix under single CIDR block so you can try something like this, I am not sure whether combination of CIDR and IP address will work or not but you can give it try.

acceptFrom = 10.21.100.0/28, 10.21.100.15

How CIDR calculates IP ranges then try to google Subnet calculation and you will able to figure out what is the meaning of 10.21.100.0/28

0 Karma
Highlighted

Re: Configuring udp with multiple ipaddress

Explorer

Thanks for details. I tried the same way.Its working

0 Karma