I'm working on system whereby Vulnerability Analysis (VA) scanners are polling various LAN segments, which is resulting in garbage data being ingested by indexers legitimately listening on 9997, as the VA scanners do their job and try to identify known vulnerabilities.
inputs.conf caters for this and allows a list of IP's to block followed by an accept all, and quoting the example:
* You can also prefix an entry with '!' to cause the rule to reject the
connection. The input applies rules in order, and uses the first one that
For example, "!10.1/16, *" allows connections from everywhere except
the 10.1.*.* network.
In the instance that I am working on there are ~40 individual /32 IP's before the * catch all permit in the format below (I have obfuscated the actual IP's for placeholders for the purpose of publishing here).
acceptFrom = "!10.1.x.x, !10.2.x.x, !10.3.x.x, *"
However this has not worked and all traffic is being dropped which can be seen via a simple UI search