We are running splunk-6.0.3-204106 version, now we are seeing high Splunk license usage from Windows Security events. So I would like to block these events. I tried below blacklist with ref blog but its not filtering any events. Please help me on how to fix this issue.
disabled = false
blacklist = 4720, 4722, 4723, 4724, 4725, 4726, 4719, 4734, 4735, 4737, 4897, 4738, 4782, 4749, 4625, 4771, 4624
I guess you used this post to help: http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
It looks correct.
Hum I can't help on this specific need sorry.
My only solution is: Deployment Server
I would create an application with the stanza that blacklist EventCodes. Then use the deployment feature of Splunk to push this application on all my forwarders.
You need a licence to create a deployment server
We have UF installed all 300 servers and all the 300 windows serves are sending the security logs, so now i wanted to put a blacklist on indexer to block the all the logs which are coming. Since configuring on all the UF will be time consuming. Please suggest me with configurations how can achieve this task.
And also help me, if I want to block the specific IP can I block on indexer?
So you don't have any forwarder on your 300 hosts?
If you have a distributed environment and a forwarder on every host, you can easily create a configuration to push on all your hosts using serverclass.conf.
If you receive your data directly on a port (like 9997), it works the same way: In your stanza that applies just add the blacklist feature.
Is it helpful?
Sorry for the delay in response!
Yes, I have configured on indexer server. Now I got to know this configure works on Universal forwarder only. Sorry for my mistake.
Could you please let me know how to block from indexer level, because I have 300+ host's sending the logs to splunk and it is eating my license very much.
Please help me on this issue.
Thanks in advance!
Correct me if I'm wrong, but from your post and this most recent comment, it sounds like you only configured inputs.conf on the indexer? I read through the comments thread on that blog and the writer states in the 2nd to last comment that this configuration works on the forwarder.
I did configured on indexer inputs.conf and restarted the servers as well. And there are no stanza in indexer to overwrite this one.
i just have below configs in indexer, is there any mistake in my configs.
host = splunk-index-dev-1
disabled = false
blacklist = 7036