Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How does the indexer forward data to itself?

benbabich
Explorer
‎02-02-2018 08:39 AM

I want to blacklist some events that the Splunk server is sending to itself but my indexer isn't even running the SplunkForwarder Service and the inputs.conf file that I'd edit on my other servers doesn't effect what it's sending to itself.
Does it use an inputs.conf file in a different location?
Also, since it's not running the SplunkForwarder Service, what do I restart (if anything) after I edit the correct inputs.conf? Do I have to restart the Splunkd Service (ie: splunk itself)?

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2018 08:25 AM

Hi benbabich,
which events do you want to blacklist? internal events?
if internal events, remember that they aren't in the license consuption.
Anyway, You can filter them in $SPLUNK_HOME/etc/system/local

Bye.
Giuseppe

0 Karma
Reply

benbabich
Explorer
‎02-06-2018 10:23 AM

I turned on auditing for .exe's so I can see psexec usage on servers. So I'm looking for some 4688 events (in windows security logs).I block most but I want to see the following:
whitelist2 = EventCode="4688" Message="(?:New Process Name:).+(?:cmd.exe)"
whitelist3 = EventCode="4688" Message="(?:New Process Name:).+(?:cscript.exe)"
whitelist4 = EventCode="4688" Message="(?:New Process Name:).+(?:wscript.exe)"
whitelist5 = EventCode="4688" Message="(?:New Process Name:).+(?:PsExec.exe)"
whitelist6 = EventCode="4688" Message="(?:Process Command Line:).+(?:cscript.exe?)"

It works on my servers but my Splunk indexer server now reports EVERY 4688 event (any .exe that is opened which is 100+ a minute) and I've added
blacklist1 = EventCode="4688"
to every inputs.conf file I can find on the server (including $SPLUNK_HOME/etc/system/local) and I can't get it to stop reporting 4688 events. I could just use host!=[servername] in a search head to not see those results but I'd rather just find a way to stop it entirely.

0 Karma
Reply

benbabich
Explorer
‎02-06-2018 08:04 AM

Its not a cluster. And I do not use a separate deployment server, I use the same server for that.

0 Karma
Reply

somesoni2
Revered Legend
‎02-06-2018 08:20 AM

Ok.. than for local monitoring on your indexer server itself, you need to restart splunkd service after you make the change.

0 Karma
Reply

somesoni2
Revered Legend
‎02-02-2018 10:51 AM

Splunk Indexer would have Splunk Enterprise version/product installed on it which would have full capabilities of Splunk including indexing and monitoring. The service name would be splunkd and it should be restarted when you make changes to inputs.conf. Side question, do you have indexer cluster OR use deployment server to deployment configs?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...