Getting Data In

Blacklisting Logs coming in UDP 514

khavildar
Explorer

I have some logs coming in on UDP 514 and I am wondering if there is a chance we can blacklist certain events containing a certain username. I can regex it out but I cannot see if we can blacklist UDP logs through props.conf and transforms.conf
From my research online, it's required to have a Syslog-ng or rSyslog server setup but we are trying to avoid that extra step and seeing if Splunk has an inbuilt function to blacklist it.
This is not File monitoring / windows / having it's own TA type of Inputs. It's Syslog coming in on UDP 514 directly to the Splunk Indexer.

0 Karma

harsmarvania57
Ultra Champion

Hi,

UDP inputs data also pass through Parsing, Aggregation and Typing Queue (ref. doc https://wiki.splunk.com/Community:HowIndexingWorks) so props.conf and transforms.conf filtering should work.

As best practice, it is recommended to use syslog-ng or rsyslog and write logs in logfile and UF will read those logs. If you receive data directly on Splunk then during Splunk restart you will lose all data which you are receiving on UDP input and usually Splunk restart take more time compare to syslog-ng or rsyslog restart.

0 Karma

khavildar
Explorer

Thanks. I looked it up and saw I had to use a nullqueue.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...