Solved: Re: Unable to Drop events

debjit_k · ‎07-17-2022

Hi All,

I'm seeking little help to drop/off board the device.

So we don't have any HF in our environment we use our indexer as our HF also.

Their is a windows device xyz in our environment and we don't want any single logs from this xyz server and it is directly sending logs to indexer not to deployment server.

So I create 2 files one is props.conf and other is transforms conf

On props.conf

[sourcetype name]

TRANSFORMS-win=eventlogs

On Transforms.conf

REGEX=xyz

DEST_KEY=queue

FORMAT=nullQueue

And I restart the indexer

But it is not working I can see till see logs.

Can anyone please suggest where I goes wrong.

Thank you in advance

gcusello · ‎07-18-2022

Hi @debjit_k,

let me know, if you solved the problem or not.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎07-17-2022

Hi @debjit_k,

there's a little confision in your question:

Deployment Server is a role to manage Forwarders (Universal and heavy) it doesn't directly inpact in data flow, it only checks and pushes configurations!

Then I suppose that you forget to put the transforms.conf stanza header in your question, it should be the same that you indicated in props.conf:

[eventlog]
REGEX=xyz
DEST_KEY=queue
FORMAT=nullQueue

Anyway, if it doesn't run, you should check, at first, if there's an intermediate HF that cooks data, but you said that there isn't any intermediate HF and that the data from Universal Forwarders directly arrives to the Indexers.

If this is sure, you should check the regex you have in transforms.conf: are you sure thet the regex "xyz" really matches the logs to send to nullQueue?

You can check this in a Splunk search.

Ciao.

Giuseppe

debjit_k · ‎07-18-2022

Hi @gcusello

Thank you so much for the input.

Can you please help me with the regex part if possible for you .

Sample logs

07/18/2022 03:32:26 AM
LogName=System
EventCode=7036
EventType=4
ComputerName=PGPLNBL990016S.xyz.com
SourceName=Microsoft-Windows-Service Control Manager
Type=Information
RecordNumber=208188
Keywords=Classic
TaskCategory=None
OpCode=The operation completed successfully.
Message=The Windows Update service entered the stopped state

Note

i don't want any logs from the below computer name.

ComputerName=PGPLNBL990016S.xyz.com

if you could help me with the above one regex part it will be very helpful for me.

Thanks

gcusello · ‎07-18-2022

Hi @debjit_k,

let me understand: you want to filter all ogs rom that host, is this correct?

in this case, why don't you diable logs from that Forwarder?

Anyway, the regex to filter those logs is

[eventlog]
REGEX=ComputerName\=PGPLNBL990016S\.xyz\.com
DEST_KEY=queue
FORMAT=nullQueue

Ciao.

Giuseppe

debjit_k · ‎07-18-2022

Hi @gcusello

Thank you for your help.

Yeah actually you are correct but we don't have any details who is the actual owner of the device and we have no option left rather than dropping the events in the indexer.

Let me try your suggested regex hope it will sort out the problem that we are facing.

Thank you

PickleRick · ‎07-20-2022

It seems that you have much more severe problem than Splunk log ingestion. If you have a rogue device in your network that you "don't know who the owner is", it calls for something more than just filtering out logs from this host.

Firstly - you should not let this device connect to the indexer(s) at all or call the deployment server if you use one.

debjit_k · ‎07-18-2022

Hi @gcusello

Still I could see logs it is not discarding the events as we thought.

Is there any any I can blacklist that host from indexer end.

Thanks

gcusello · ‎07-18-2022

Hi @debjit_k,

what's the host value in those logs?

if it is the same to discard, you could remove inputs.conf in the Forwarder, if these logs comes from anotehr machine (e.g. Domain Controller, you could use something like this:

props.conf

[host::PGPLNBL990016S.sdplantation.com]
TRANSFORMS-win=eventlogs

on transforms.conf

[eventlog]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

before to do this, check the value of the host, to be sure that host value is the comlete FQDN and not "PGPLNBL990016S".

Ciao.

Giuseppe

debjit_k · ‎07-18-2022

Hi @gcusello

Yes you are correct the host value is PGPLNBL990016S.

I tried the same but still the logs is coming the main issue we can't do anything on UF as we don't know the owner and we don't have contacts.

I'm not getting why the events is not getting dropped.

Thanks

gcusello · ‎07-18-2022

Hi @debjit_k,

are you sure that there isn't any intermediate Heavy Forwarder?

In this case the filter must be located in the HF.

Ciao.

Giuseppe

debjit_k · ‎07-18-2022

Hi @gcusello

There is not immediatee HF.

But I have make some changes it looks like I have there was some typo error in host name.

It's been 10 mins I haven't see any logs let's wait for 2 hours if there is no log feeding then we are good.

gcusello · ‎07-18-2022

Hi @debjit_k,

let me know, if you solved the problem or not.

Ciao.

Giuseppe

debjit_k · ‎07-19-2022

Hi @gcusello

Sorry for late reply actually was doing monitoring for the host for 24 hours and yeah it is not feeding any logs.

Thank you for the support.

Thanks

gcusello · ‎07-19-2022

hi @debjit_k ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

debjit_k · ‎07-17-2022

Sample events

07/18/2022 03:32:26 AM
LogName=System
EventCode=7036
EventType=4
ComputerName=PGPLNBL990016S.sdplantation.com
SourceName=Microsoft-Windows-Service Control Manager
Type=Information
RecordNumber=208188
Keywords=Classic
TaskCategory=None
OpCode=The operation completed successfully.
Message=The Windows Update service entered the stopped state

Why am I Unable to Drop events?

indexer

Windows

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?