Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to blacklist a forwarder?

mad4wknds
Path Finder
‎02-06-2014 04:20 PM

I have a 250 forwarders in my environment. I have one server that no one can reach a solution on due to low priority. The box is killing my indexer with storage errors. I have no control over uninstalling the forwarder.

I would like to blacklist this forwarder. Is this something that can be done and how?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎02-06-2014 04:38 PM

One thing that you can do immediately is to set up a regex transform on your indexer to remove the unwanted data. The example below will re-route all data from that host to the trash can.

props.conf

[host::your_host]
TRANSFORMS-remove_stuff = setnull

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

NB: you can make a more selective filtering by writing a more specific regex, so that you actually get to keep those events that you like.

Read more here;

http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Anonymizedatausingconfigurationfiles

/k

View solution in original post

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2014 09:12 AM

You could deny all incoming connections from that host like this:

iptables -A INPUT -s 1.2.3.4 -j DROP

That's fairly invasive though, talk to your system or network administrators first.

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎02-06-2014 04:40 PM

You could try something like this. I'm pretty sure it will also drop _internal logs because it is filtering by host. Put these stanzas in the files on the indexer in splunk\etc\system\local, and restart Splunk. This will only affect new events.

props.conf

[host::hostname]
TRANSFORMS-drop = drop_event
transforms.conf

transforms.conf

[drop_event]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎02-06-2014 04:38 PM

One thing that you can do immediately is to set up a regex transform on your indexer to remove the unwanted data. The example below will re-route all data from that host to the trash can.

props.conf

[host::your_host]
TRANSFORMS-remove_stuff = setnull

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

NB: you can make a more selective filtering by writing a more specific regex, so that you actually get to keep those events that you like.

Read more here;

http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Anonymizedatausingconfigurationfiles

/k

Reply
Solved! Jump to solution

Tinza
Loves-to-Learn
‎03-22-2023 07:55 AM

Hi @kristian_kolb, If I create this in a specific app called e.g twistlock_parsing to remove events coming from host 127.0.0.1 only within a specific index e.g azure_twistlock - will this drop all events across all indexes containing that ip? I only want that IP address dropped in index azure_twistlock. I have already tried the solution from this page: https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-a-host-hosts-is-sending-logs-to-Spl... and it didn't work

0 Karma
Reply
Solved! Jump to solution

mad4wknds
Path Finder
‎02-07-2014 09:09 AM

Thank you kristian.kolb the "acceptFrom" is the answer I was really looking for.

Thanks again

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎02-07-2014 08:59 AM

lukejadamec, well, regex transforms take place after linebreaking, timestamping etc, so if there is really a lot of crap coming from the evil forwarder, it could affect the event processing... I guess.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎02-07-2014 08:57 AM

Then I would really suggest fw rule, preferably on the network, but local will also work. Perhaps you should also look at the

acceptFrom = <network_acl>

setting in inputs.conf where you define the forwarder connections (splunktcp:9997, or whatever port you're already listening to). From the docs on inputs.conf:

Entries can also be prefixed with '!' to cause the rule to reject the connection. Rules are applied in order, and the first one to match is used. For example, "!10.1/16, *" will allow connections from everywhere except the 10.1.*.* network.

Reply
Solved! Jump to solution

teedilo
Path Finder
‎03-04-2015 09:02 AM

Kristian -- I just wanted to thank you for your suggestion to use acceptFrom in inputs.conf. It was the only thing that finally worked for me to shut down traffic from some "rogue" forwarders. Sending things to nullQueue via props.conf and transforms.conf has worked for me for other things, but I couldn't find any combination that would work for this. Thanks again.

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎02-07-2014 08:56 AM

Not sure I understand. This should drop everything from the host. What is still getting indexed?

0 Karma
Reply
Solved! Jump to solution

mad4wknds
Path Finder
‎02-07-2014 08:29 AM

Works great for the "Queue" but I need a total blackout meaning that it is still and blocking other queues.

Thanks for the response.

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎02-06-2014 04:32 PM

What version of splunk on the indexer?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...