Getting Data In

How to Blacklist a Forwarder

mad4wknds
Path Finder

I have a 250 forwarders in my environment. I have one server that no one can reach a solution on due to low priority. The box is killing my indexer with storage errors. I have no control over uninstalling the forwarder.

I would like to blacklist this forwarder. Is this something that can be done and how?

Tags (1)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

One thing that you can do immediately is to set up a regex transform on your indexer to remove the unwanted data. The example below will re-route all data from that host to the trash can.

props.conf

[host::your_host]
TRANSFORMS-remove_stuff = setnull

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

NB: you can make a more selective filtering by writing a more specific regex, so that you actually get to keep those events that you like.

Read more here;

http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Anonymizedatausingconfigurationfiles

/k

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You could deny all incoming connections from that host like this:

iptables -A INPUT -s 1.2.3.4 -j DROP

That's fairly invasive though, talk to your system or network administrators first.

0 Karma

lukejadamec
Super Champion

You could try something like this. I'm pretty sure it will also drop _internal logs because it is filtering by host. Put these stanzas in the files on the indexer in splunk\etc\system\local, and restart Splunk. This will only affect new events.

props.conf

[host::hostname]
TRANSFORMS-drop = drop_event
transforms.conf

transforms.conf

[drop_event]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

kristian_kolb
Ultra Champion

One thing that you can do immediately is to set up a regex transform on your indexer to remove the unwanted data. The example below will re-route all data from that host to the trash can.

props.conf

[host::your_host]
TRANSFORMS-remove_stuff = setnull

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

NB: you can make a more selective filtering by writing a more specific regex, so that you actually get to keep those events that you like.

Read more here;

http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Anonymizedatausingconfigurationfiles

/k

mad4wknds
Path Finder

Thank you kristian.kolb the "acceptFrom" is the answer I was really looking for.

Thanks again

0 Karma

kristian_kolb
Ultra Champion

lukejadamec, well, regex transforms take place after linebreaking, timestamping etc, so if there is really a lot of crap coming from the evil forwarder, it could affect the event processing... I guess.

0 Karma

kristian_kolb
Ultra Champion

Then I would really suggest fw rule, preferably on the network, but local will also work. Perhaps you should also look at the

acceptFrom = <network_acl>

setting in inputs.conf where you define the forwarder connections (splunktcp:9997, or whatever port you're already listening to). From the docs on inputs.conf:

Entries can also be prefixed with '!' to cause the rule to reject the connection. Rules are applied in order, and the first one to match is used. For example, "!10.1/16, *" will allow connections from everywhere except the 10.1.*.* network.

teedilo
Path Finder

Kristian -- I just wanted to thank you for your suggestion to use acceptFrom in inputs.conf. It was the only thing that finally worked for me to shut down traffic from some "rogue" forwarders. Sending things to nullQueue via props.conf and transforms.conf has worked for me for other things, but I couldn't find any combination that would work for this. Thanks again.

0 Karma

lukejadamec
Super Champion

Not sure I understand. This should drop everything from the host. What is still getting indexed?

0 Karma

mad4wknds
Path Finder

Works great for the "Queue" but I need a total blackout meaning that it is still and blocking other queues.

Thanks for the response.

0 Karma

lukejadamec
Super Champion

What version of splunk on the indexer?

0 Karma