I'm trying to use the "acceptFrom" property in inputs.conf to create a whitelist of hosts that can forward to my indexer. One of my hosts matches the hostname glob in my whitelist, but is denied because its hostname isn't properly resolved by Splunk:
TcpInputProc - Rejected a connection from xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) due to acceptFrom setting
- normally the parentheses would contain a resolved hostname.
Running nslookup xxx.xxx.xxx.xxx
from the receiving server gives the proper hostname, as well as a glob matching all subdomains of the hostname, however they are listed as non-authoritative. Does Splunk ignore non-authoritative records? Are the multiple results confusing it? How do I debug this?
If this is from a Splunk forwarder, i believe it uses the forwarder name (rather than DNS) as recorded in etc/system/local/inputs.conf on the forwarder (or the "client name" if set)
I don't think that's the case. While setting up my receiving server, I nmap'd it from my local machine, which does not have Splunk running. This produced Rejected a connection from...
logs from my workstation's IP, with a resolved hostname. This leads me to believe that the acceptFrom whitelist is checked before any Splunk-to-Splunk communication occurs.