Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do forwardedindex whitelists and blacklists work?

hettervik
Builder
‎01-07-2016 08:09 AM

Hi,

I'm trying to figure out how the whitelist and blacklist in outputs.conf work. By default it looks like this:

 [tcpout]
 forwardedindex.0.whitelist = .*
 forwardedindex.1.blacklist = _.*
 forwardedindex.2.whitelist = (_audit|_internal)

It is stated in the doc that blacklist overrides whitelist. Doesn't this mean that rule #1 overrides rule #2? Doesn't rule #1 state that all files starting with an underscore is blacklisted? Still rule #2 states that _audit and _internal are whitelisted. As far as I know, internal and audit are forwarded by default. Can someone help me understand this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-07-2016 09:14 AM

Have a look at the outputs.conf

#----Index Filter Settings.
# These attributes are only applicable under the global [tcpout] stanza. This filter does not work if it is created 
# under any other stanza.
forwardedindex.<n>.whitelist = <regex>
forwardedindex.<n>.blacklist = <regex>
* These filters determine which events get forwarded, based on the indexes they belong to.
* This is an ordered list of whitelists and blacklists, which together decide if events should be forwarded to an index.
* The order is determined by <n>. <n> must start at 0 and continue with positive integers, in sequence. There cannot be any
  gaps in the sequence. (For example, forwardedindex.0.whitelist, forwardedindex.1.blacklist, forwardedindex.2.whitelist, ...). 
* The filters can start from either whitelist or blacklist. They are tested from forwardedindex.0 to forwardedindex.<max>.
*** If both forwardedindex.<n>.whitelist and forwardedindex.<n>.blacklist are present for the same value of n, then
  forwardedindex.<n>.whitelist is honored. forwardedindex.<n>.blacklist is ignored in this case.**
* You should not normally need to change these filters from their default settings in $SPLUNK_HOME/system/default/outputs.conf.
* Filtered out events are not indexed if local indexing is not enabled.

The numbers n determines which one should be considered first. For eg: in your above example when splunk parses it

0.Accepts all
1.Exclude _ indexes
2.Accept audit and internal

If you alter the order 1 and 2 , ie

forwardedindex.0.whitelist = .*
forwardedindex.1.whitelist = (_audit|_internal)
forwardedindex.2.blacklist = _.*

0 Accept all
1 Accept audit and internal
2 Reject all internal

In this case it will not forward as rule#2 overrides rule#1

Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-07-2016 09:14 AM

Have a look at the outputs.conf

#----Index Filter Settings.
# These attributes are only applicable under the global [tcpout] stanza. This filter does not work if it is created 
# under any other stanza.
forwardedindex.<n>.whitelist = <regex>
forwardedindex.<n>.blacklist = <regex>
* These filters determine which events get forwarded, based on the indexes they belong to.
* This is an ordered list of whitelists and blacklists, which together decide if events should be forwarded to an index.
* The order is determined by <n>. <n> must start at 0 and continue with positive integers, in sequence. There cannot be any
  gaps in the sequence. (For example, forwardedindex.0.whitelist, forwardedindex.1.blacklist, forwardedindex.2.whitelist, ...). 
* The filters can start from either whitelist or blacklist. They are tested from forwardedindex.0 to forwardedindex.<max>.
*** If both forwardedindex.<n>.whitelist and forwardedindex.<n>.blacklist are present for the same value of n, then
  forwardedindex.<n>.whitelist is honored. forwardedindex.<n>.blacklist is ignored in this case.**
* You should not normally need to change these filters from their default settings in $SPLUNK_HOME/system/default/outputs.conf.
* Filtered out events are not indexed if local indexing is not enabled.

The numbers n determines which one should be considered first. For eg: in your above example when splunk parses it

0.Accepts all
1.Exclude _ indexes
2.Accept audit and internal

If you alter the order 1 and 2 , ie

forwardedindex.0.whitelist = .*
forwardedindex.1.whitelist = (_audit|_internal)
forwardedindex.2.blacklist = _.*

0 Accept all
1 Accept audit and internal
2 Reject all internal

In this case it will not forward as rule#2 overrides rule#1

Happy Splunking!
Reply
Solved! Jump to solution

hettervik
Builder
‎01-08-2016 12:00 AM

Thanks a lot, that made things clearer! I've used Cisco systems before, and I'm used to access lists where you read from the top down and use the first rule that applies to your current file. Of course this wouldn't make sense here, where the first default rule is an "accept all"-rule.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...