Re: Index whitelisting and blacklisting not work i...

sigma · ‎05-16-2024

Hi all,

I have a number a forwarder that sends a lot of logs to different indexes. For example, there are three indexes: Windows, Linux, and Firewall.
A new cluster has been set up and I am planning to forward only some logs to the new cluster based on the index name.
For example, consider that between the three indexes of Windows, Linux, and Firewall, I'm going to send only Firewall to the new cluster.
This is the configuration that I tried to create:

[tcpout]
defaultGroup = dag,dag-n

[tcpout:dag]
disabled = false
server = p0:X,p1:Y

[tcpout:dag-n]
disabled = false
server = pn:Z
forwardedindex.0.whitelist = firewall
forwardedindex.1.blacklist = .*

but unfortunately, some logs of both Windows and Linux indexes are still sent to the new cluster, and because an index is not considered for them in the new cluster, they frequently cause errors.

The thing that came to my mind was that maybe I should empty the default whitelist and blacklist first. Anyone have any ideas?

richgalloway · ‎05-16-2024

Per the outputs.conf.spec file,

# These settings are only applicable under the global [tcpout] stanza.
# This filter does not work if it is created under any other stanza.

---
If this reply helps you, Karma would be appreciated.

Index whitelisting and blacklisting not work in forwarders

blacklist

heavy forwarder

index

whitelist

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?