Splunk Enterprise

How to Blacklist Hosts at the Indexer

lpolo
Motivator

Let's say, I have 5 forwarders. 4 of them are allowed to forward events to the indexer but one of them is not. How can I Blacklist this host at the indexer not at the forwarder or network (eg., iptables)? In this way, no log event should be index from the host that is not allowed to...

Thanks,
Lp

Tags (1)
0 Karma

starcher
Influencer

I guess I am confused. if the forwarder is never allowed to send events to an indexer why even leave it installed. I would just remove it.

0 Karma

JSapienza
Contributor

Something like this might work then :

props.conf

[Host::myhost]
TRANSFORM-myhost=rejectHost

transforms.conf

[rejectHost]
REGEX = .*
DEST=queue
FORMAT=nullQueue

JSapienza
Contributor

That would be a whitelist not a blacklist. Am I not sure that can be done in this manner. I would urge you to look in to using deployment server to modify the outputs.conf.

0 Karma

lpolo
Motivator

What about if you do not know the name of the host that you want to blacklist but you know the hosts that are allowed.

Thanks,
Lp

0 Karma

lpolo
Motivator

This approach cannot be done. We do not have configuration control of the forwarders.

0 Karma

JSapienza
Contributor

If it were me I would approach this from a different direction. Why even send the data over the wire to the indexer only to be dumped to the nullQueue ? You could use the deployment server to send an app to the forwarder with an an empty outputs.conf or one that didn't have the indexer/s listed. This way at a later time all you have to do is remove that host from the corresponding severClass to revert the changes and allow it to communicate with the indexer.

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...