Getting Data In
Highlighted

Is there a way to whitelist which forwarded logs are indexed on the indexer based on the host they are from?

New Member

i'm looking to monitor logs that are forwarded with the universal forwarder, but i do not want it from all machines. due to the way our systems are deployed, all the machines would have the forwarder set up and configured on them. is it possible on the splunk server to whitelist just the machines i want logs from?

thanks.

0 Karma
Highlighted

Re: Is there a way to whitelist which forwarded logs are indexed on the indexer based on the host they are from?

Splunk Employee
Splunk Employee

When the UF is installed and configured, is it configured with a deploymentclients.conf? because if they are all phoning home to the Deployment Server (Forwarder Management) you can send out an outputs.conf that will override what's in the base config and control what is actually sending stuff somewhere and what is not. That would be the most efficient way to manage them... So rather than turning them away... you'll tell them what to do.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: Is there a way to whitelist which forwarded logs are indexed on the indexer based on the host they are from?

New Member

we are not using a deployment server for forwarder management at the moment.

0 Karma
Highlighted

Re: Is there a way to whitelist which forwarded logs are indexed on the indexer based on the host they are from?

Splunk Employee
Splunk Employee

The best way, would be to use the Deployment Server and have the UF's configured properly to just connect with the DS automatically and allow you to push the configurations you want. Even if a machine comes up that you DO want to collect from you still need to add configuration to the forwarder to collect data properly.

That said, you could try this for now:
inputs.conf on the indexer

[tcp://:9997]
acceptFrom =

acceptFrom = <network_acl> ...
* Lists a set of networks or addresses to accept connections from.  These rules are separated by commas or spaces
* Each rule can be in the following forms:
*   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
*   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
*   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
*   4. A single '*' which matches anything
* Entries can also be prefixed with '!' to cause the rule to reject the
  connection.  Rules are applied in order, and the first one to match is
  used.  For example, "!10.1/16, *" will allow connections from everywhere
  except the 10.1.*.* network.
* Defaults to "*" (accept from anywhere)

It's a list you would have to maintain... basically listing all the ones you want specifically. But that is most likely going to be a random smattering so you won't be able to wildcard etc.

You need something to manage the forwarders. Whether it is the Deployment Server, Chef, Puppet or whatever... something has to control them. Or you need to get that initial base configuration done properly so that the UF is installed but it is not sending automagically...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma