Getting Data In

Whitelist IP Ranges in serverclass.conf

Path Finder

I am attempting to whitelist a range of IP addresses in my serverclass.conf but it doesn't seem to be working. This is the regex that I came up with to match IP Addresses between 10.0.0.0 and 10.49.255.255.

[serverClass:pcforwarders]
whitelist.0=10.([0-9]|[0-4][0-9]).[0-9]{1,3}.[0-9]{1,3}
blacklist.0=10.255.26.*

[serverClass:pcforwarders:app:pcforwardersconfigs]
stateOnClient=enabled
restartSplunkd=true

[serverClass:pcforwarders:app:pclogcollection]
stateOnClient=enabled
restartSplunkd=true

Tags (1)

Splunk Employee
Splunk Employee

AFAIK, You can't use a regex in a serverclass.conf whitelist. The spec file does not show this as being valid.

http://docs.splunk.com/Documentation/Splunk/latest/admin/Serverclassconf

whitelist.<n> = <clientName> | <ip address> | <hostname>
blacklist.<n> = <clientName> | <ip address> | <hostname>
    * 'n' is a number starting at 0, and increasing by 1. Stop looking at the filter when 'n' breaks.
    * The value of this attribute is matched against several things in order:
         * Any clientName specified by the client in its deploymentclient.conf file
         * The ip address of the connected client
         * The hostname of the connected client as provided by reverse DNS lookup
         * The hostname of the client as provided by the client
    * All of these can be used with wildcards.  * will match any sequence of characters.  For example:
        * Match an network range: 10.1.1.*
        * Match a domain: *.splunk.com
    * These patterns are PCRE regular expressions with the additional mappings:
        * '.' is mapped to '\.'
        * '*' is mapped to '.*'
    * Can be overridden at the serverClass level, and the serverClass:app level.
    * There are no whitelist or blacklist entries by default.

Legend

I have chatted with some folks who say PCRE is fine - now i just need to go test it!

0 Karma

Splunk Employee
Splunk Employee

notice: with the additional mappings. Meaning, it is a regex, but not PCRE compliant, which means I think you're going to run into unexpected behaviors trying to use PCRE straight up in the conf file.

0 Karma

Legend

Perhaps I misunderstand what this line means "These patterns are PCRE regular expressions..."

0 Karma

Legend

I am not sure what your question is, exactly, but here is a great reference for regular expressions. I've linked to the page with an example for IP addresses.

http://www.regular-expressions.info/examples.html

Specifically, I think the following would match what you want:

10\.[0-4]?[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!