Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unauthorized Forwarders

pfernandez133
Explorer
‎09-27-2013 06:47 PM

Hey guys, fairly new Splunk admin here. I've a question about unauthorized forwarders.

Is there anything to prevent my indexer from indexing something from a "rogue forwarder"? That is, if someone set up their laptop to forward huge logs to my indexer, will my indexer slurp up those logs? Is there anything built in to prevent this?

This question came up because I'm troubleshooting an issue where Splunk doesn't seem to be indexing events from an external host sending events on port 8089. tcpdump confirms that data is being passed from that host to our indexer, but nothing seems to show up.

Thanks in advance!

Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-28-2013 09:35 AM

There are other tools at your disposal too, like iptables. If you are down to permitting (or refusing) forwarders based on source IP address, Splunk can do it. But the operating system is better equipped for the same job. If nothing else, you can update iptables configurations without having to restart splunkd.

If you cannot do source-IP based control, then SSL and the SSL client certificate that Gerald mentioned is a good solution.

Back to your original problem that started this, port 8089 is typically the Splunkd REST port. Unless you are using the REST API to submit events (and 99% of things do not) this is not the port you use to get data in.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-27-2013 07:07 PM

Yes. In inputs.conf on the indexer, you can either configure the splunktcp input to only accept from a specific IP address. That is not as useful, so you can also use the acceptFrom parameter to provide a list of network address ranges. See the docs for inputs.conf.

You can also use SSL and require a client certificate. If you do this, then any client must present a certificate that is signed by a specified certificate authority.

Reply

pfernandez133
Explorer
‎09-27-2013 07:29 PM

Great. Thanks again!

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-27-2013 07:20 PM

Yes, unless otherwise restricted, any forwarder may connect and send.

Reply

pfernandez133
Explorer
‎09-27-2013 07:15 PM

Thank you, sir!

So, if I don't have anything different in my $SPLUNK/etc/system/local/inputs.conf, the [splunktcp] stanza from $SPLUNK/etc/system/default/inputs.conf is in effect?

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

Which means anyone can send my Indexer anything?

Thx!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...