Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do we find users who installed forwarders without permission and also restrict unauthorized forwarders in the future?

yu94
New Member
‎06-26-2015 12:50 AM

In my Company we have a particulate team who works on Splunk and a few users had installed the Forwarder without us knowing. How do we find those users and, in future, how to restrict users from doing this again?

0 Karma
Reply

ngatchasandra
Builder
‎06-26-2015 01:09 AM

Hi,

You can do this by going in inputs.conf on the indexer, you can either configure the splunktcp input to only accept from a specific IP address. That is not as useful, so you can also use the acceptFrom parameter to provide a list of network address ranges. See the docs for inputs.conf.

You can also use SSL and require a client certificate. If you do this, then any client must present a certificate that is signed by a specified certificate authority.

Reply

lguinn2
Legend
‎06-26-2015 01:03 AM

On the indexers, in the inputs.conf that specifies the listening port, set a default splunktcp stanza that lists the allowed forwarders. Example:

[splunktcp]
acceptFrom = 10.1.1.2,10.3.1.*

In the acceptFrom, you can list the allowed forwarders by IP address, DNS name, etc. You can use wildcards as well. More information in the Admin manual on inputs.conf

This will stop the incoming data from unauthorized forwarders. You can search the _internal index to see where the data has come from in the past. Here is a very simple search that lists forwarders and how much data has come from each:

index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=coalesce(sourceHost,hostname)
| fields sourceHost kb 
| timechart sum(kb) AS kb_forwarded by sourceHost
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Top