Getting Data In

How to edit inputs.conf to restrict data collected from a monitored TCP input to specific hosts?

kennybirdwell
Explorer

I want to restrict data collected from a monitored TCP port to a list of hosts. This is the stanza that I used but it didn't work:

[tcp://server1.AD.AD.net,server2.AD.AD.net:1025]

Cutting it down to one server like this and it works:

[tcp://server2.AD.AD.net:1025]

Can you restrict multiple servers or is this feature just limited to one server? If multiple, what is wrong with the first stanza?

0 Karma
1 Solution

lguinn2
Legend

You need to do it this way:

[tcp://:1025]
acceptFrom=server1.AD.AD.net,server2.AD.AD.net

You can put only 1 server in the actual stanza header, otherwise you must use the acceptFrom attribute.
Check it out in the manual at `http://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf#TCP:

View solution in original post

lguinn2
Legend

You need to do it this way:

[tcp://:1025]
acceptFrom=server1.AD.AD.net,server2.AD.AD.net

You can put only 1 server in the actual stanza header, otherwise you must use the acceptFrom attribute.
Check it out in the manual at `http://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf#TCP:

View solution in original post

adamsaul
Communicator

lguinn,

This makes sense but I find it interesting that making a TCP input through the Splunk Web GUI lead me to believe you could put multiple hosts within the monitor line.

Adam

0 Karma

lguinn2
Legend

The other way may work in the latest version of Splunk, I haven't used it. But 7 years of Splunk experience and the documentation make me think that acceptFrom is the way to go. It is a lot more flexible.

But if you do want to use multiple servers in the stanza header, I think you will need to put the port number on every server, not just at the end of the line.

kennybirdwell
Explorer

Using ''acceptFrom" to list the server names separated by a comma works. The only thing I would note in your example you have an extra colon there between the two forward slashes and the port number. Looking at the documentation those are not there, maybe a typo?

This is my final stanza that works for the first server now with both servers in, it maybe tomorrow before the customer can test the fail over on his side to verify it also accepts from the second server but pretty confident the second server is going to work as well.

[tcp://1025]
acceptFrom=server1.AD.AD.net,server2.AD.AD.net
connection_host = dns
index = cisco
sourcetype = cisco:ios

0 Karma

lguinn2
Legend

That isn't really an "extra" colon. I think it is optional, but it's not a typo.

0 Karma

kennybirdwell
Explorer

Thanks, the fail over to the second server works so everything is working as expected. Thanks for the info.

0 Karma

adamsaul
Communicator

kennybirdwell,

Your first stanza is the correct format, that is exactly how you do multiple hosts.

I would check to be sure (if you are using DNS names as inputs) that they can be resolved by Splunk.

If they are statically IP'd machines and you don't want to rely on DNS being available, you could use (although frowned upon), UNIX: /etc/hosts OR WINDOWS: C:\Windows\System32\Drivers\etc\hosts

Adam

0 Karma

kennybirdwell
Explorer

The first stanza didn't work using IP or FQDN, the second stanza using the same FQDN as the first one but with only the first server name does work. The only thing I haven't tried is a space after the comma between the server names. I can try that and see.

0 Karma

adamsaul
Communicator

Here is a system built input example, yours is no different than mine:

[tcp://test1.foobar.net,tada.foo.net:9000]
connection_host = dns
sourcetype = cisco_syslog

[tcp://172.16.100.99,172.16.200.25,172.16.230.*:9001]
connection_host = ip
sourcetype = cisco_syslog

You're restarting Splunk after making changes, correct?

0 Karma

kennybirdwell
Explorer

That's how I got my stanza info building it from the web UI but that doesn't work even with the port at the end of each server when you deploy that out. The answer below using "acceptFrom" works.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!