Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How does Splunk resolve forwarders' hostnames when using acceptFrom?

sjodle
Path Finder
‎01-17-2018 10:26 AM

I'm trying to use the "acceptFrom" property in inputs.conf to create a whitelist of hosts that can forward to my indexer. One of my hosts matches the hostname glob in my whitelist, but is denied because its hostname isn't properly resolved by Splunk:

TcpInputProc - Rejected a connection from xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) due to acceptFrom setting - normally the parentheses would contain a resolved hostname.

Running nslookup xxx.xxx.xxx.xxx from the receiving server gives the proper hostname, as well as a glob matching all subdomains of the hostname, however they are listed as non-authoritative. Does Splunk ignore non-authoritative records? Are the multiple results confusing it? How do I debug this?

0 Karma
Reply

nickhills
Ultra Champion
‎01-17-2018 10:40 AM

If this is from a Splunk forwarder, i believe it uses the forwarder name (rather than DNS) as recorded in etc/system/local/inputs.conf on the forwarder (or the "client name" if set)

If my comment helps, please give it a thumbs up!
0 Karma
Reply

sjodle
Path Finder
‎01-17-2018 10:48 AM

I don't think that's the case. While setting up my receiving server, I nmap'd it from my local machine, which does not have Splunk running. This produced Rejected a connection from... logs from my workstation's IP, with a resolved hostname. This leads me to believe that the acceptFrom whitelist is checked before any Splunk-to-Splunk communication occurs.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Top