Getting Data In

Excluding some event log data from being forwarded to the indexers

bobmorning
Engager

We have an outside scanning agency that is constantly doing nmap like scans of our perimeter.   It is generating a log of log data on the perimeter CISCO firewalls. We know the IPs that the scanning is coming from; is there a way to tell the forwarders to NOT forward that log data from the firewalls for those IPs?

For example, if any tcp/ip log data is seen from 1.2.3.4, don't forward it, but if from any other IP address, treat it normally and forward it.

Thanks for any insights on this. Our Splunk SME are looking at CRIBL to do this but reading this thread makes me believe there are configuration settings that might address this?   

V/R Bob M.

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

How are you receiving logs from those firewall? Syslog?

If so, employ some syslog processing layer (it's worth doing anyway) - for example, sc4s or rsyslog-based collector. There you can filter at will.

richgalloway
SplunkTrust
SplunkTrust

Universal Forwarders cannot filter that input.  Cribl is a good choice or you can use a transform at the indexer/heavy forwarder to send undesired events to the null queue.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...