Hi,
I'm trying to stop forwarding _audit index.
I put in my outputs.conf the following lines:
[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.filter.disable = false
It should block all indexes beginning with "_". Am i right ?
It doesn’t work because I am still seeing forwarded audit logs:
Audit:[timestamp=07-06-2015 16:46:14.900, user=splunk-system-user, action=search, info=completed, search_id='SummaryDirector_1436193945.3', total_run_time=0.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1436193945, api_et=N/A, api_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name=""][n/a]
Do you know how to stop it ?
Thanks for your time,
You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: etc/system/default/outputs.conf
[tcpout]
...
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false
The rules above dictate: rule #1( forwardedindex.1.blacklist = .* ) does successfully block all indexes that begin with an ""; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes.
The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below:
Rewrite rule #2 to remove _audit:
[tcpout]
forwardedindex.2.whitelist = (_internal|_introspection)
Add a new rule #3 re-enforcing the blacklist of _audit:
[tcpout]
forwardedindex.3.blacklist = _audit
Either one of these should work. Cheers!
You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: etc/system/default/outputs.conf
[tcpout]
...
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false
The rules above dictate: rule #1( forwardedindex.1.blacklist = .* ) does successfully block all indexes that begin with an ""; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes.
The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below:
Rewrite rule #2 to remove _audit:
[tcpout]
forwardedindex.2.whitelist = (_internal|_introspection)
Add a new rule #3 re-enforcing the blacklist of _audit:
[tcpout]
forwardedindex.3.blacklist = _audit
Either one of these should work. Cheers!