Getting Data In

How do I stop forwarding the _audit index?

jeromep83
Engager

Hi,

I'm trying to stop forwarding _audit index.
I put in my outputs.conf the following lines:

[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.filter.disable = false

It should block all indexes beginning with "_". Am i right ?
It doesn’t work because I am still seeing forwarded audit logs:

Audit:[timestamp=07-06-2015 16:46:14.900, user=splunk-system-user, action=search, info=completed, search_id='SummaryDirector_1436193945.3', total_run_time=0.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1436193945, api_et=N/A, api_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name=""][n/a]

Do you know how to stop it ?

Thanks for your time,

0 Karma
1 Solution

matts1234
Engager

You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: etc/system/default/outputs.conf

[tcpout]
...
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false

The rules above dictate: rule #1( forwardedindex.1.blacklist = .* ) does successfully block all indexes that begin with an ""; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes.

The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below:

Rewrite rule #2 to remove _audit:

[tcpout]
forwardedindex.2.whitelist = (_internal|_introspection)

Add a new rule #3 re-enforcing the blacklist of _audit:

[tcpout]
forwardedindex.3.blacklist = _audit

Either one of these should work. Cheers!

View solution in original post

0 Karma

matts1234
Engager

You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: etc/system/default/outputs.conf

[tcpout]
...
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false

The rules above dictate: rule #1( forwardedindex.1.blacklist = .* ) does successfully block all indexes that begin with an ""; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes.

The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below:

Rewrite rule #2 to remove _audit:

[tcpout]
forwardedindex.2.whitelist = (_internal|_introspection)

Add a new rule #3 re-enforcing the blacklist of _audit:

[tcpout]
forwardedindex.3.blacklist = _audit

Either one of these should work. Cheers!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...