Getting Data In

How do I stop forwarding the _audit index?

Engager

Hi,

I'm trying to stop forwarding _audit index.
I put in my outputs.conf the following lines:

[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.filter.disable = false

It should block all indexes beginning with "_". Am i right ?
It doesn’t work because I am still seeing forwarded audit logs:

Audit:[timestamp=07-06-2015 16:46:14.900, user=splunk-system-user, action=search, info=completed, search_id='SummaryDirector_1436193945.3', total_run_time=0.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1436193945, api_et=N/A, api_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name=""][n/a]

Do you know how to stop it ?

Thanks for your time,

0 Karma
1 Solution

Engager

You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: etc/system/default/outputs.conf

[tcpout]
...
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false

The rules above dictate: rule #1( forwardedindex.1.blacklist = .* ) does successfully block all indexes that begin with an ""; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes.

The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below:

Rewrite rule #2 to remove _audit:

[tcpout]
forwardedindex.2.whitelist = (_internal|_introspection)

Add a new rule #3 re-enforcing the blacklist of _audit:

[tcpout]
forwardedindex.3.blacklist = _audit

Either one of these should work. Cheers!

View solution in original post

0 Karma

Engager

You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: etc/system/default/outputs.conf

[tcpout]
...
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false

The rules above dictate: rule #1( forwardedindex.1.blacklist = .* ) does successfully block all indexes that begin with an ""; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes.

The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below:

Rewrite rule #2 to remove _audit:

[tcpout]
forwardedindex.2.whitelist = (_internal|_introspection)

Add a new rule #3 re-enforcing the blacklist of _audit:

[tcpout]
forwardedindex.3.blacklist = _audit

Either one of these should work. Cheers!

View solution in original post

0 Karma