i'm looking to monitor logs that are forwarded with the universal forwarder, but i do not want it from all machines. due to the way our systems are deployed, all the machines would have the forwarder set up and configured on them. is it possible on the splunk server to whitelist just the machines i want logs from?
When the UF is installed and configured, is it configured with a deploymentclients.conf? because if they are all phoning home to the Deployment Server (Forwarder Management) you can send out an outputs.conf that will override what's in the base config and control what is actually sending stuff somewhere and what is not. That would be the most efficient way to manage them... So rather than turning them away... you'll tell them what to do.
we are not using a deployment server for forwarder management at the moment.
The best way, would be to use the Deployment Server and have the UF's configured properly to just connect with the DS automatically and allow you to push the configurations you want. Even if a machine comes up that you DO want to collect from you still need to add configuration to the forwarder to collect data properly.
That said, you could try this for now:
inputs.conf on the indexer
acceptFrom = <network_acl> ... * Lists a set of networks or addresses to accept connections from. These rules are separated by commas or spaces * Each rule can be in the following forms: * 1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3") * 2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32") * 3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com") * 4. A single '*' which matches anything * Entries can also be prefixed with '!' to cause the rule to reject the connection. Rules are applied in order, and the first one to match is used. For example, "!10.1/16, *" will allow connections from everywhere except the 10.1.*.* network. * Defaults to "*" (accept from anywhere)
It's a list you would have to maintain... basically listing all the ones you want specifically. But that is most likely going to be a random smattering so you won't be able to wildcard etc.
You need something to manage the forwarders. Whether it is the Deployment Server, Chef, Puppet or whatever... something has to control them. Or you need to get that initial base configuration done properly so that the UF is installed but it is not sending automagically...