Security

Blacklist events whose "Message" field contains a specific value "healthcheck" is not working.

aswinkumar6
New Member

I'm using a AWS setup with ELB sending constant healthcheck messages to my apache server. splunk is indexed to capture access logs. 37% of my access logs are captured with this unwanted healthcheck data. I wanted to blacklist this incoming data so I have added below configurations to splunkds inputs.conf.Below configuration is not working even after splunkds restart.

[monitor://]
blacklist1 = Response_code=200 && "healthcheck"

Please provide me solution on how the blacklisting of incoming traffic with response_code=200 and message="healthcheck" be configured.

Tags (1)
0 Karma

aswinkumar6
New Member

Hi Giuseppe,

As I'm using AWS setup, ELB is checking for server availablity and healthcheck logs are consuming more data.This is unwanted data .

I want do not want any incoming message with "ELB-HealthChecker/2.0" and Response_Code=200 in splunk indexes.

Below log message I want to filter

10.9x.xx.xx - - [31/May/2020:00:05:32 -0500] "GET /healthcheck HTTP/1.1" Response_Code=200 Bytes=26 "-" "ELB-HealthChecker/2.0" Response_Time=150

what is the correct regex and steps to do this?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aswinkumar6,
blacklist in monitor stanzas (not in windos wineventlog stanzas) is related only to filenames not to events.

See my answer to your previous question https://answers.splunk.com/answers/824761/what-are-ways-to-optimize-splunk-license-usage.html .

As I said, you have to find the correct regex to filter your data (if you share some samples I cal help you) and then put on your indexers or (if present) on your Heavy Forwarders, the following files (this is an example of regex to define with your logs):

In props.conf:

[my_sourcetype]
TRANSFORMS-null= setnull

in transforms.conf:

[setnull]
REGEX = message\=healthcheck
DEST_KEY = queue
FORMAT = nullQueue

(if in the discarding events there the string message=healthcheck)

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...