Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the easiest way to exclude ingestion of events for a specific IP address at UF OR SyslogNG level?

Nraj87
Explorer
‎04-16-2023 05:05 AM
Easiest way to exclude ingestion of events for a specific IP address from a SourceType at UF level OR Syslog-NG
 
Labels (1)
Labels
0 Karma
Reply

seemanshu
Path Finder
‎04-26-2023 05:54 AM

Hi @Nraj87 ,

You could use one of the following methods for excluding the data from a specific IP in your infrastructure,

  • Modifying syslog-ng.conf
    • filter f_all { not (<ip_address_to_be_excluded>);};
  • Modifying transforms.conf and props.conf

in transforms.conf                 

 

[setnull]
 REGEX = <regex for the ip to be excluded>
 DEST_KEY = queue
 FORMAT = nullQueue

 

 

  • in props.conf 

 

[sourcetype_name]
TRANSFORMS-null = setnull

 

Kindly support the answer, if find it useful.

Happy Splunking!

0 Karma
Reply

woodcock
Esteemed Legend
‎04-16-2023 01:26 PM

The "easiest way" is almost never the "right way".  The "right way" is almost always to drop it as early in the transmission pipeline as possible.  So if syslog-ng, then do it with an IP filter in syslog-ng.  The easy way is to drop it at the indexer, but I would never do it that way.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-16-2023 07:49 AM

Please be more specific about:

1) What your infrastructure and ingestion process looks like

2) What you want to do - filter out events coming from particuar IP? Containing particular IP? Something else?

0 Karma
Reply

Nraj87
Explorer
‎04-26-2023 04:06 AM

1) What your infrastructure and ingestion process looks like - All the network devices are sending logs to SYSLOG-NG and from SYSLOGNG UF is forwarding the logs to the Indexers.

2) What you want to do - filter out events coming from particular IP?  yes, i would like to filter out all the events at UF level particular IP.          Containing particular IP?NA Something else?NA

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-26-2023 05:13 AM

So the easiest thing to do would be to (in order of decreasing reasonableness):

1) Not send the events from that IP

2) Configure your syslog-ng to silently discard events from that IP

3) Configure iptables on your syslog-ng host to reject/drop syslog packets from that IP

It has nothing to do with UF itself. It should be done before the events even reach the UF.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...