- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can I block a single IP address from sending l...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I block a single IP address from sending logs to Splunk?
Hi,
I want to block the specific host/IP from sending logs to indexers for the time being until I would need to enable to again later. Is there a way to block on indexer level and how?
please tell me the full steps so I can implement on live environment
please tell me step by step
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why don't you just send enabled=0 to his inputs.conf from the DS?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Put this on your indexer and restart:
In props.conf:
[host::Your\.IP\.Address\.Here]
TRANSFORMS-drop_everything = drop_everything
[host::hostname.YourDomain.com]
TRANSFORMS-drop_everything = drop_everything
In transforms.conf:
[drop_everything]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I've tried this and it does not work. I need to block all data being written to our indexers from a set of IPs (network security devices that try and find compromises on our servers including the splunk HFs, UF, etc - so I do want to drop this at the index level).
I've placed this code in the etc system local props.conf and transforms.conf files - is that correct?
Doesn't seem to drop it either for IP address or hostname.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are better off tuning it closer to the source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing to the nullqueue is one option, but a bit of a waste of resources as the data is still sent over the network and processed to some degree.
I'd rather suggest using the acceptFrom setting on the respective input on the indexers, or just bluntly blocking that IP address in the firewall on the indexer (if you have one).
If the source you want to disable is a forwarder, you could also disable the outputs on the forwarder (or just shut down the forwarder altogether).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can do this by using Props.conf and transforms.conf. the IP required to be filtered can be sent to null queue.
you can use below stanza and modify it as per your requirement based on the log.
Props.conf:
[source::WMI:WinEventLog:Security]
TRANSFORMS-FilterEvent = FilterEvent560
Transforms.conf:
[FilterEvent560]
REGEX = (?msi)^EventCode=560
DEST_KEY = queue
FORMAT = nullQueue
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
