Getting Data In

Unauthorized Forwarders

pfernandez133
Explorer

Hey guys, fairly new Splunk admin here. I've a question about unauthorized forwarders.

Is there anything to prevent my indexer from indexing something from a "rogue forwarder"? That is, if someone set up their laptop to forward huge logs to my indexer, will my indexer slurp up those logs? Is there anything built in to prevent this?

This question came up because I'm troubleshooting an issue where Splunk doesn't seem to be indexing events from an external host sending events on port 8089. tcpdump confirms that data is being passed from that host to our indexer, but nothing seems to show up.

Thanks in advance!

dwaddle
SplunkTrust
SplunkTrust

There are other tools at your disposal too, like iptables. If you are down to permitting (or refusing) forwarders based on source IP address, Splunk can do it. But the operating system is better equipped for the same job. If nothing else, you can update iptables configurations without having to restart splunkd.

If you cannot do source-IP based control, then SSL and the SSL client certificate that Gerald mentioned is a good solution.

Back to your original problem that started this, port 8089 is typically the Splunkd REST port. Unless you are using the REST API to submit events (and 99% of things do not) this is not the port you use to get data in.

gkanapathy
Splunk Employee
Splunk Employee

Yes. In inputs.conf on the indexer, you can either configure the splunktcp input to only accept from a specific IP address. That is not as useful, so you can also use the acceptFrom parameter to provide a list of network address ranges. See the docs for inputs.conf.

You can also use SSL and require a client certificate. If you do this, then any client must present a certificate that is signed by a specified certificate authority.

pfernandez133
Explorer

Great. Thanks again!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Yes, unless otherwise restricted, any forwarder may connect and send.

pfernandez133
Explorer

Thank you, sir!

So, if I don't have anything different in my $SPLUNK/etc/system/local/inputs.conf, the [splunktcp] stanza from $SPLUNK/etc/system/default/inputs.conf is in effect?

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

Which means anyone can send my Indexer anything?

Thx!

0 Karma