Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to blacklist a Universal Forwarder?

ccsfdave
Builder
‎06-06-2016 07:01 AM

This should be relatively simple, but I cannot find discussion or documentation on it. I suspect that Splunk assumes if a universal forwarder is installed, the data is wanted. The problem is that there is a UF out of my control with a misconfigured index name. I would like to blacklist it until the owner can fix it.

How would I blacklist a UF?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-06-2016 08:44 AM

Like this:

1: In props.conf, set the TRANSFORMS-null attribute:

[host::BadUniversalForwarderHostIdentifierHere]
TRANSFORMS-null = TrashEverything

2: Create a corresponding stanza in transforms.conf. Set DEST_KEY to queue and FORMATto nullQueue:

[TrashEverything]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

3: Deploy to all Indexers and restart all Splunk instances there.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-06-2016 08:44 AM

Like this:

1: In props.conf, set the TRANSFORMS-null attribute:

[host::BadUniversalForwarderHostIdentifierHere]
TRANSFORMS-null = TrashEverything

2: Create a corresponding stanza in transforms.conf. Set DEST_KEY to queue and FORMATto nullQueue:

[TrashEverything]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

3: Deploy to all Indexers and restart all Splunk instances there.

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎06-06-2016 08:47 AM

Yeah this is great option if you can restart indexers. The "blacklisting" word put me in a different direction, but nullQueueing is in effect the same. Thanks woodcock!

0 Karma
Reply
Solved! Jump to solution

ccsfdave
Builder
‎06-06-2016 09:00 AM

Yeah, I have full control of the central Splunk Infrastructure: SH, Indexers, HF, DS. So, Let me accept this and will update the answer if I need to in the future.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎06-06-2016 07:48 AM

Do you control the UF from your deployment server? If not you should.

Your options are blocking the src_ip at the firewall... (iptables on linux, windows firewall will do the trick too)

Asking UF owner to turn off UF.

IF you have UF password you can probably disable via REST calls.

0 Karma
Reply
Solved! Jump to solution

ccsfdave
Builder
‎06-06-2016 07:52 AM

Well, I let the question stand because I figured some good discussion or tips may come from it but it was in my DS so I took care of it (i think) from there.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎06-06-2016 08:17 AM

I assume splunk doesn't want you to blacklist forwarders because they should be controlled via the DS. And if you had a config file somewhere blacklisting them you might spend days trying to figure out why they arent sending data in, etc.

0 Karma
Reply
Solved! Jump to solution

ccsfdave
Builder
‎06-06-2016 08:41 AM

Yeah, that makes sense

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...