Getting Data In

Block Specific host/ip on indexer

kpavan
Path Finder

Hi,

I want to block the specific host/ip which sending logs to indexers for a time being later would need to enable to again. Is there a way to block on indexer level and how?

Thanks!

Tags (2)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

You should probably take a look at the documentation for inputs.conf:

acceptFrom = <network_acl> ...
* Lists a set of networks or addresses to accept connections from.  These rules are separated by commas or spaces
* Each rule can be in the following forms:
*   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
*   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
*   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
*   4. A single '*' which matches anything
* Entries can also be prefixed with '!' to cause the rule to reject the
  connection.  Rules are applied in order, and the first one to match is
  used.  For example, "!10.1/16, *" will allow connections from everywhere
  except the 10.1.*.* network.
* Defaults to "*" (accept from anywhere)

/K

View solution in original post

0 Karma

kristian_kolb
Ultra Champion

You should probably take a look at the documentation for inputs.conf:

acceptFrom = <network_acl> ...
* Lists a set of networks or addresses to accept connections from.  These rules are separated by commas or spaces
* Each rule can be in the following forms:
*   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
*   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
*   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
*   4. A single '*' which matches anything
* Entries can also be prefixed with '!' to cause the rule to reject the
  connection.  Rules are applied in order, and the first one to match is
  used.  For example, "!10.1/16, *" will allow connections from everywhere
  except the 10.1.*.* network.
* Defaults to "*" (accept from anywhere)

/K

0 Karma

azurite
New Member

I also think the document needs clarity. Based on the documentation appears, " is used for logical argument breaks:

A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3") 
A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
For example, "!10.1/16, *" will allow connections from everywhere  except the 10.1.*.* network.

However, it does not behave this way...

Examples:  acceptFrom = 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4 
Only allows connection from 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4

Example: acceptFrom = "10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4"
Does not allow connections from 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4

Example: acceptFrom = "10.1.1.1", "10.1.1.2", "10.1.1.3", "10.1.1.4"
Does not allow connections from 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4

I am using Splunk Enterprise 6.6.2 and have the rare opportunity to build from scratch in AWS, thus allow me test the settings thoroughly...

0 Karma

timmy13
Communicator

I have the following....

[tcp]
acceptFrom = !txindex1, *

on my indexer, yet I am still getting traffic recorded from the host txindex1. Any ideas?

0 Karma

DennisFFM
Explorer

Maybe delete the wildcard.
As far as I know !txindex1 only blocks this one host and every other is allowed.
So the wildcard(*) ist not needed.

0 Karma

Michael
Contributor

But the cryptic documentation shows the * in there... I wish they would at show an example. I can't get it to work either, and again "from the documentation" it's unclear to be if there should be "quotes" around the arguments...

0 Karma

kristian_kolb
Ultra Champion

Not that I have tried it, but - as it says in the docs;

* Lists a set of networks or addresses to accept connections from. These rules are separated by commas or spaces

From that statement I would guess something like this should work for blocking more than one host:

acceptFrom = !10.1.2.3, !192.168.1.0/24, !*.test.domain.com

/k

0 Karma

kpavan
Path Finder

Thanks for your quick respose!

I have tried the acceptForm for one IP and its worked. Now i have curious to know if we have different range of ip address or different DNS names how could we achieve using the acceptForm.

like:

10.1.2.3
192.1.2.2
172.1.1.2

Thanks!

0 Karma
Get Updates on the Splunk Community!

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...