Getting Data In

Blacklisting Logs coming in UDP 514

khavildar
Explorer

I have some logs coming in on UDP 514 and I am wondering if there is a chance we can blacklist certain events containing a certain username. I can regex it out but I cannot see if we can blacklist UDP logs through props.conf and transforms.conf
From my research online, it's required to have a Syslog-ng or rSyslog server setup but we are trying to avoid that extra step and seeing if Splunk has an inbuilt function to blacklist it.
This is not File monitoring / windows / having it's own TA type of Inputs. It's Syslog coming in on UDP 514 directly to the Splunk Indexer.

0 Karma

harsmarvania57
Ultra Champion

Hi,

UDP inputs data also pass through Parsing, Aggregation and Typing Queue (ref. doc https://wiki.splunk.com/Community:HowIndexingWorks) so props.conf and transforms.conf filtering should work.

As best practice, it is recommended to use syslog-ng or rsyslog and write logs in logfile and UF will read those logs. If you receive data directly on Splunk then during Splunk restart you will lose all data which you are receiving on UDP input and usually Splunk restart take more time compare to syslog-ng or rsyslog restart.

0 Karma

khavildar
Explorer

Thanks. I looked it up and saw I had to use a nullqueue.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...