You should probably take a look at the documentation for inputs.conf:
acceptFrom = <network_acl> ...
* Lists a set of networks or addresses to accept connections from. These rules are separated by commas or spaces
* Each rule can be in the following forms:
* 1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
* 2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
* 3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
* 4. A single '*' which matches anything
* Entries can also be prefixed with '!' to cause the rule to reject the
connection. Rules are applied in order, and the first one to match is
used. For example, "!10.1/16, *" will allow connections from everywhere
except the 10.1.*.* network.
* Defaults to "*" (accept from anywhere)
/K
You should probably take a look at the documentation for inputs.conf:
acceptFrom = <network_acl> ...
* Lists a set of networks or addresses to accept connections from. These rules are separated by commas or spaces
* Each rule can be in the following forms:
* 1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
* 2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
* 3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
* 4. A single '*' which matches anything
* Entries can also be prefixed with '!' to cause the rule to reject the
connection. Rules are applied in order, and the first one to match is
used. For example, "!10.1/16, *" will allow connections from everywhere
except the 10.1.*.* network.
* Defaults to "*" (accept from anywhere)
/K
I also think the document needs clarity. Based on the documentation appears, " is used for logical argument breaks:
A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
For example, "!10.1/16, *" will allow connections from everywhere except the 10.1.*.* network.
However, it does not behave this way...
Examples: acceptFrom = 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4
Only allows connection from 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4
Example: acceptFrom = "10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4"
Does not allow connections from 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4
Example: acceptFrom = "10.1.1.1", "10.1.1.2", "10.1.1.3", "10.1.1.4"
Does not allow connections from 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4
I am using Splunk Enterprise 6.6.2 and have the rare opportunity to build from scratch in AWS, thus allow me test the settings thoroughly...
I have the following....
[tcp]
acceptFrom = !txindex1, *
on my indexer, yet I am still getting traffic recorded from the host txindex1. Any ideas?
Maybe delete the wildcard.
As far as I know !txindex1 only blocks this one host and every other is allowed.
So the wildcard(*) ist not needed.
But the cryptic documentation shows the * in there... I wish they would at show an example. I can't get it to work either, and again "from the documentation" it's unclear to be if there should be "quotes" around the arguments...
Not that I have tried it, but - as it says in the docs;
* Lists a set of networks or addresses to accept connections from. These rules are separated by commas or spaces
From that statement I would guess something like this should work for blocking more than one host:
acceptFrom = !10.1.2.3, !192.168.1.0/24, !*.test.domain.com
/k
Thanks for your quick respose!
I have tried the acceptForm for one IP and its worked. Now i have curious to know if we have different range of ip address or different DNS names how could we achieve using the acceptForm.
like:
10.1.2.3
192.1.2.2
172.1.1.2
Thanks!