Getting Data In

How does the indexer forward data to itself?

benbabich
Explorer

I want to blacklist some events that the Splunk server is sending to itself but my indexer isn't even running the SplunkForwarder Service and the inputs.conf file that I'd edit on my other servers doesn't effect what it's sending to itself.
Does it use an inputs.conf file in a different location?
Also, since it's not running the SplunkForwarder Service, what do I restart (if anything) after I edit the correct inputs.conf? Do I have to restart the Splunkd Service (ie: splunk itself)?

Tags (2)
0 Karma

gcusello
Esteemed Legend

Hi benbabich,
which events do you want to blacklist? internal events?
if internal events, remember that they aren't in the license consuption.
Anyway, You can filter them in $SPLUNK_HOME/etc/system/local

Bye.
Giuseppe

0 Karma

benbabich
Explorer

I turned on auditing for .exe's so I can see psexec usage on servers. So I'm looking for some 4688 events (in windows security logs).I block most but I want to see the following:
whitelist2 = EventCode="4688" Message="(?:New Process Name:).+(?:cmd.exe)"
whitelist3 = EventCode="4688" Message="(?:New Process Name:).+(?:cscript.exe)"
whitelist4 = EventCode="4688" Message="(?:New Process Name:).+(?:wscript.exe)"
whitelist5 = EventCode="4688" Message="(?:New Process Name:).+(?:PsExec.exe)"
whitelist6 = EventCode="4688" Message="(?:Process Command Line:).+(?:cscript.exe?)"

It works on my servers but my Splunk indexer server now reports EVERY 4688 event (any .exe that is opened which is 100+ a minute) and I've added
blacklist1 = EventCode="4688"
to every inputs.conf file I can find on the server (including $SPLUNK_HOME/etc/system/local) and I can't get it to stop reporting 4688 events. I could just use host!=[servername] in a search head to not see those results but I'd rather just find a way to stop it entirely.

0 Karma

benbabich
Explorer

Its not a cluster. And I do not use a separate deployment server, I use the same server for that.

0 Karma

somesoni2
Revered Legend

Ok.. than for local monitoring on your indexer server itself, you need to restart splunkd service after you make the change.

0 Karma

somesoni2
Revered Legend

Splunk Indexer would have Splunk Enterprise version/product installed on it which would have full capabilities of Splunk including indexing and monitoring. The service name would be splunkd and it should be restarted when you make changes to inputs.conf. Side question, do you have indexer cluster OR use deployment server to deployment configs?

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...