Solved: How do I stop forwarding the _audit index?

jeromep83 · ‎07-06-2015

Hi,

I'm trying to stop forwarding _audit index.
I put in my outputs.conf the following lines:

[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.filter.disable = false

It should block all indexes beginning with "_". Am i right ?
It doesn’t work because I am still seeing forwarded audit logs:

Audit:[timestamp=07-06-2015 16:46:14.900, user=splunk-system-user, action=search, info=completed, search_id='SummaryDirector_1436193945.3', total_run_time=0.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1436193945, api_et=N/A, api_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name=""][n/a]

Do you know how to stop it ?

Thanks for your time,

matts1234 · ‎07-06-2015

You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: etc/system/default/outputs.conf

[tcpout]
...
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false

The rules above dictate: rule #1( forwardedindex.1.blacklist = .* ) does successfully block all indexes that begin with an ""; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes.

The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below:

Rewrite rule #2 to remove _audit:

[tcpout]
forwardedindex.2.whitelist = (_internal|_introspection)

Add a new rule #3 re-enforcing the blacklist of _audit:

[tcpout]
forwardedindex.3.blacklist = _audit

Either one of these should work. Cheers!

View solution in original post

matts1234 · ‎07-06-2015

You are most likely running into an issue with how Splunk deals with its whitelist and blacklist. Below are the default settings which are causing your conflict, pulled from: etc/system/default/outputs.conf

[tcpout]
...
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false

The rules above dictate: rule #1( forwardedindex.1.blacklist = .* ) does successfully block all indexes that begin with an ""; however, rule #2 ( forwardedindex.2.whitelist = (_audit|_internal|_introspection) ) then tells Splunk to overwrites rule #1 for those particular indexes.

The easiest way to solve your issue would be to set your custom outputs.conf to one of the two below:

Rewrite rule #2 to remove _audit:

[tcpout]
forwardedindex.2.whitelist = (_internal|_introspection)

Add a new rule #3 re-enforcing the blacklist of _audit:

[tcpout]
forwardedindex.3.blacklist = _audit

Either one of these should work. Cheers!

How do I stop forwarding the _audit index?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation