Re: How to block a server from pushing data to our...

edwinmae · ‎08-10-2017

We have a couple of unknown servers that push data to our Splunk server
I am not able to access these servers and not able to find the owner of these servers

With the above in mind, I want to block these servers (from sending data) to our Splunk server, so they will no longer show-up

Is this possible?
And if so, how?

FritzWittwer_ol · ‎08-10-2017

Two more options

Setup ip filters on your Splunk Indexer(s) to block the ip address of this servers.
Details depend on your operating system.
Configure props.conf and transforms.conf to redirect events from this systems to the nullQueue

props.conf

[host::YOUR_HOSTS]
TRANSFORMS-DiscardHosts = DiscardHosts

transforms.conf

[DiscardHosts]
SOURCE_KEY = _TCP_ROUTING
REGEX = .
DEST_KEY = queue
WRITE_META = true
FORMAT = nullQueue

sbbadri · ‎08-10-2017

where is outputs.conf reside on those server under $SPLUNK_HOME$/etc/system/local or $SPLUNK_HOME$/etc/apps/your custom app/local.

gjanders · ‎08-10-2017

The inputs.conf has an acceptFrom parameter than can be used to blacklist addresses, perhaps that will work?
You could also consider blocking it at the OS level of your Splunk indexers or perhaps a security team or administration team could assist in tracking down the problematic server?

acceptFrom = <network_acl> ...
* Lists a set of networks or IP addresses from which to accept connections.
* Specify multiple rules with commas or spaces.
* Each rule can be in the following forms:
    1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
    2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
    3. A DNS name, possibly with a '*' used as a wildcard (examples:
       "myhost.example.com", "*.splunk.com")
    4. A single '*', which matches anything.
* You can also prefix an entry with '!' to cause the rule to reject the
  connection. The input applies rules in order, and uses the first one
  that matches. For example, "!10.1/16, *" allows connections from everywhere
  except the 10.1.*.* network.
* Defaults to "*" (accept from anywhere)

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

edwinmae · ‎08-14-2017

As the above seemed the most logical option, I tried the following setup in my inputs.conf file, but it seemed to stop connectivity for all my servers

acceptFrom = "!x.x.x.x, *"

--

We tracked down the owner of the server 🙂

gjanders · ‎08-14-2017

That sounds like a documentation error...did you send feedback on that page of documentation? It will often get corrected if reported...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

edwinmae · ‎08-14-2017

Comment is now posted (inputs.conf)

sbbadri · ‎08-10-2017

@edwinmae

if you don't to send any data to splunk from those servers. Remove outputs.conf from those servers from $SPLUNK_HOME$/etc/system/local or any custom app you have created for outputs.conf. So that server doesn't know where to send the data.

edwinmae · ‎08-10-2017

Like I said I am not able to access these servers

Somebody installed the Splunk Forwarder and pointed it to our Splunk server

We don't have a deploymentclient.conf file in system or default directory

Other options?

How to block a server from pushing data to our Splunk server

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation