Security

Blacklist events whose "Message" field contains a specific value "healthcheck" is not working.

aswinkumar6
New Member

I'm using a AWS setup with ELB sending constant healthcheck messages to my apache server. splunk is indexed to capture access logs. 37% of my access logs are captured with this unwanted healthcheck data. I wanted to blacklist this incoming data so I have added below configurations to splunkds inputs.conf.Below configuration is not working even after splunkds restart.

[monitor://]
blacklist1 = Response_code=200 && "healthcheck"

Please provide me solution on how the blacklisting of incoming traffic with response_code=200 and message="healthcheck" be configured.

Tags (1)
0 Karma

aswinkumar6
New Member

Hi Giuseppe,

As I'm using AWS setup, ELB is checking for server availablity and healthcheck logs are consuming more data.This is unwanted data .

I want do not want any incoming message with "ELB-HealthChecker/2.0" and Response_Code=200 in splunk indexes.

Below log message I want to filter

10.9x.xx.xx - - [31/May/2020:00:05:32 -0500] "GET /healthcheck HTTP/1.1" Response_Code=200 Bytes=26 "-" "ELB-HealthChecker/2.0" Response_Time=150

what is the correct regex and steps to do this?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aswinkumar6,
blacklist in monitor stanzas (not in windos wineventlog stanzas) is related only to filenames not to events.

See my answer to your previous question https://answers.splunk.com/answers/824761/what-are-ways-to-optimize-splunk-license-usage.html .

As I said, you have to find the correct regex to filter your data (if you share some samples I cal help you) and then put on your indexers or (if present) on your Heavy Forwarders, the following files (this is an example of regex to define with your logs):

In props.conf:

[my_sourcetype]
TRANSFORMS-null= setnull

in transforms.conf:

[setnull]
REGEX = message\=healthcheck
DEST_KEY = queue
FORMAT = nullQueue

(if in the discarding events there the string message=healthcheck)

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...