Getting Data In

Create Server Class in Forwarder Management for Windows 10 workstations

molinarf
Communicator

I want to create a new server class in Forwarder Management just for workstations (Windows 10). Since they are located in a particular subnet X.X.X.32/24 or X.X.X.32 255.255.255.224. Can I use the whitelist to filter based on the subnet? Is it possible to filter by Machine Type using a filter for Windows 10 workstations?

Thank you

0 Karma
1 Solution

jnudell_2
Builder

Hi @molinarf ,

You can filter to Windows hosts, but not specifically to Windows 10. However, you can also create a whitelist for the IP addresses you want to select as well. This is easiest done from the UI:
Click on Settings -> Forwarder Management -> Server Classes
Select your server class, and then click the Add Clients option
In the whitelist box, if you wanted to whitelist a /24 range (10.10.10.0/24 as an example) you would use the corresponding regex:

10.10.10.\d{1,3}

Because it is regex, you would have to use something that matches all the IPs in a given set, and it would NOT recognize CIDR notation (10.10.10.0/24 will not work).

View solution in original post

0 Karma

jnudell_2
Builder

Hi @molinarf ,

You can filter to Windows hosts, but not specifically to Windows 10. However, you can also create a whitelist for the IP addresses you want to select as well. This is easiest done from the UI:
Click on Settings -> Forwarder Management -> Server Classes
Select your server class, and then click the Add Clients option
In the whitelist box, if you wanted to whitelist a /24 range (10.10.10.0/24 as an example) you would use the corresponding regex:

10.10.10.\d{1,3}

Because it is regex, you would have to use something that matches all the IPs in a given set, and it would NOT recognize CIDR notation (10.10.10.0/24 will not work).

0 Karma

molinarf
Communicator

Okay, I didn't realize it was to be in a regex format. Can you clarify the expression where you use \d{1,3}. Looks like to me it would be the network ip (i.e. 10.10.10.\d) but what is the {1,3}?

Thanks,

0 Karma

jnudell_2
Builder

\d{1,3} means any digit 1 - 3 times. If you use \d, it means any digit ONLY 1 time. That would be equivalent to the list:
10.10.10.0
10.10.10.1
.
.
.
10.10.10.9
But NOT 10.10.10.10+ because now it's two digits.

0 Karma

molinarf
Communicator

So to clarify... just so I get it right, that means that for what I am trying to do I should write it

10.10.10.(3[2-9]|[4-5][0-9]|6[0-1])$

Sorry I keep asking for clarification.

0 Karma

jnudell_2
Builder

No problem.
That would set your range to:
10.10.10.32 - 61
You don't need the $ at the end, but try it and see if it works.
If that's what you want, then yes. 🙂

0 Karma

molinarf
Communicator

So, I am getting closer. I eliminated the $. When I save and then go back to look at the parameters because it says that I haven't added any clients, I am greeted with this error:

In handler 'serverclients': Regex: missing terminating ] for character class. I have been searching for an answer on line, but I have yet to find one that applies. Any ideas?

0 Karma

jnudell_2
Builder

One thing you can do is use the preview button to see which clients get captured by the whitelist. You can see match & unmatched clients.

If you're getting an error, I would simplify the regex until it works and then add your conditionals.

Example: Start with

10.10.10.(3[2-9])

And then hit preview, and see if you get any clients in 10.10.10.32 - 39.

Next add a |[45][0-9] and hit preview.

Until you get to your full whitelist range.

0 Karma

molinarf
Communicator

I tested the regex that I had and that you verified as good. Even though it does not produce errors and I would eventually like to use this format to filter subnets, I had to go through the less fancy way and just put the hostnames of the workstations. Since there are a few varieties, I just did a portion of the name and then added an '*' at the end.It filters properly and I have the only workstation that I have using a UF. So I switched to this for the sake of expediency. It may not look sexy or fabulous that can give a lay person a headache, but it's functional with the hostnames. Of course, in the other server class for essentially windows servers, I had to blacklist the same hostnames.

Thanks jnudell_2 for your help and assistance on regex expression for IPs and the explanation.

0 Karma

molinarf
Communicator

I tried that... Although I didn't get the error as I found the syntax issue (fat fingering). I kept trying and it says nothing matches even though there is one workstation with an IP that matches the whitelist filter. Quite frustrating. If you have any other ideas, let me know. Maybe I should Blacklist every other device's IP or ranges?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...