Getting Data In

Block Specific host/ip on indexer

kpavan
Path Finder

Hi,

I want to block the specific host/ip which sending logs to indexers for a time being later would need to enable to again. Is there a way to block on indexer level and how?

Thanks!

Tags (2)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

You should probably take a look at the documentation for inputs.conf:

acceptFrom = <network_acl> ...
* Lists a set of networks or addresses to accept connections from.  These rules are separated by commas or spaces
* Each rule can be in the following forms:
*   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
*   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
*   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
*   4. A single '*' which matches anything
* Entries can also be prefixed with '!' to cause the rule to reject the
  connection.  Rules are applied in order, and the first one to match is
  used.  For example, "!10.1/16, *" will allow connections from everywhere
  except the 10.1.*.* network.
* Defaults to "*" (accept from anywhere)

/K

View solution in original post

0 Karma

kristian_kolb
Ultra Champion

You should probably take a look at the documentation for inputs.conf:

acceptFrom = <network_acl> ...
* Lists a set of networks or addresses to accept connections from.  These rules are separated by commas or spaces
* Each rule can be in the following forms:
*   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
*   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
*   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
*   4. A single '*' which matches anything
* Entries can also be prefixed with '!' to cause the rule to reject the
  connection.  Rules are applied in order, and the first one to match is
  used.  For example, "!10.1/16, *" will allow connections from everywhere
  except the 10.1.*.* network.
* Defaults to "*" (accept from anywhere)

/K

0 Karma

azurite
New Member

I also think the document needs clarity. Based on the documentation appears, " is used for logical argument breaks:

A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3") 
A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
For example, "!10.1/16, *" will allow connections from everywhere  except the 10.1.*.* network.

However, it does not behave this way...

Examples:  acceptFrom = 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4 
Only allows connection from 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4

Example: acceptFrom = "10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4"
Does not allow connections from 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4

Example: acceptFrom = "10.1.1.1", "10.1.1.2", "10.1.1.3", "10.1.1.4"
Does not allow connections from 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4

I am using Splunk Enterprise 6.6.2 and have the rare opportunity to build from scratch in AWS, thus allow me test the settings thoroughly...

0 Karma

timmy13
Communicator

I have the following....

[tcp]
acceptFrom = !txindex1, *

on my indexer, yet I am still getting traffic recorded from the host txindex1. Any ideas?

0 Karma

DennisFFM
Explorer

Maybe delete the wildcard.
As far as I know !txindex1 only blocks this one host and every other is allowed.
So the wildcard(*) ist not needed.

0 Karma

Michael
Contributor

But the cryptic documentation shows the * in there... I wish they would at show an example. I can't get it to work either, and again "from the documentation" it's unclear to be if there should be "quotes" around the arguments...

0 Karma

kristian_kolb
Ultra Champion

Not that I have tried it, but - as it says in the docs;

* Lists a set of networks or addresses to accept connections from. These rules are separated by commas or spaces

From that statement I would guess something like this should work for blocking more than one host:

acceptFrom = !10.1.2.3, !192.168.1.0/24, !*.test.domain.com

/k

0 Karma

kpavan
Path Finder

Thanks for your quick respose!

I have tried the acceptForm for one IP and its worked. Now i have curious to know if we have different range of ip address or different DNS names how could we achieve using the acceptForm.

like:

10.1.2.3
192.1.2.2
172.1.1.2

Thanks!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...