Getting Data In

How can I block a single IP address from sending logs to Splunk?

New Member

Hi,

I want to block the specific host/IP from sending logs to indexers for the time being until I would need to enable to again later. Is there a way to block on indexer level and how?
please tell me the full steps so I can implement on live environment

please tell me step by step

0 Karma

Esteemed Legend

Why don't you just send enabled=0 to his inputs.conf from the DS?

0 Karma

Esteemed Legend

Put this on your indexer and restart:

In props.conf:

[host::Your\.IP\.Address\.Here]
TRANSFORMS-drop_everything = drop_everything
[host::hostname.YourDomain.com]
TRANSFORMS-drop_everything = drop_everything

In transforms.conf:

[drop_everything]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
0 Karma

New Member

You are better off tuning it closer to the source

0 Karma

Ultra Champion

Routing to the nullqueue is one option, but a bit of a waste of resources as the data is still sent over the network and processed to some degree.

I'd rather suggest using the acceptFrom setting on the respective input on the indexers, or just bluntly blocking that IP address in the firewall on the indexer (if you have one).

If the source you want to disable is a forwarder, you could also disable the outputs on the forwarder (or just shut down the forwarder altogether).

0 Karma

Path Finder

you can do this by using Props.conf and transforms.conf. the IP required to be filtered can be sent to null queue.

you can use below stanza and modify it as per your requirement based on the log.

Props.conf:

[source::WMI:WinEventLog:Security]
TRANSFORMS-FilterEvent = FilterEvent560

Transforms.conf:

[FilterEvent560]
REGEX = (?msi)^EventCode=560
DEST_KEY = queue
FORMAT = nullQueue

0 Karma