Getting Data In
Highlighted

How to filter out an IP address that is sending syslogs to Splunk using TCP port 514 as input?

Path Finder

Hi Everyone

I need to know whether it is possible to filter out an IP address that is sending syslogs into Splunk using TCP port 514 as input.

Is there any configuration that needs to be done on the Splunk side to filter out that IP, or does it require blocking from the network device end sending logs to Splunk.

Please let me know.

Thanks

0 Karma
Highlighted

Re: How to filter out an IP address that is sending syslogs to Splunk using TCP port 514 as input?

SplunkTrust
SplunkTrust

Hi OMohi,

Yes, you can filter out un-wanted events by using this guide http://docs.splunk.com/Documentation/Splunk/6.3.0/Forwarding/Routeandfilterdatad#Filter_event_data_a...

Here is an example (un-tested) of props.conf and transforms.conf needed on the indexer:

props.conf

[source::tcp:514] 
TRANSFORMS-send_to_nullQueue = setnull,setparsing

transforms.conf

[setnull]
REGEX = ip to match the un-wanted host
SOURCE_KEY = MetaData:Host 
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

Hope this helps to get you started and don't forget it will only drop new events from the IP and will only work after a Splunk restart.

Just my 2 cents: best thing to do here: stop the source from sending 😉

cheers, MuS

View solution in original post