Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Reduce specific logging

mmoermans
Path Finder
‎07-04-2017 02:42 AM

When there's a huge influx of incoming logging of blocked attempts on the firewall from one specific (external) source, is it possible to (temporarily) decrease/disable the amount of logging being received from this specific source so it doesn't flood our license when it's a known issue?

Thanks in advance for the response

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-04-2017 08:12 AM

Why don't you manually null-route the attacking host's IP on the attacked device so it can no longer attempt to connect? Then the failed logins do not happen. For that matter, why is this kind of mitigation not automatically in place in your network (e.g. fail2ban or whatever)? Remove it when the proper configuration is in place.

https://en.wikipedia.org/wiki/Null_route
P.S. I know that this is not an "attack".

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-04-2017 08:12 AM

Why don't you manually null-route the attacking host's IP on the attacked device so it can no longer attempt to connect? Then the failed logins do not happen. For that matter, why is this kind of mitigation not automatically in place in your network (e.g. fail2ban or whatever)? Remove it when the proper configuration is in place.

https://en.wikipedia.org/wiki/Null_route
P.S. I know that this is not an "attack".

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-08-2019 07:10 AM

Thesplunky way to do this now is with Phantom-based automation.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-04-2017 08:08 AM

The only practical way is to stop splunk on that forwarder (host).

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-04-2017 08:03 AM

hello there,
i am not aware of anything "out of the box" that splunk has for that situation, if there is, would love to learn about it.
With that being said, one thing i can think of is setting an alert on your condition,
add trigger a script to that alert and have the script writing props and transforms that sending the unwanted data to nullqueue. Challenge here is how you reset back to your original configurations. maybe the script will also have a timer to reset after X amount of time.
there are other challenges with that approach, specially if this is a clustered environment.
hope it slightly helps

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-04-2017 07:53 AM

Hi mmoermans,
it's possible to create a filter but the problem is that you have to restart Splunk to enable it.
At this point it's easier to stop log forwarding from your firewall and restart it after the tempest.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top