I am looking to not ingest events from a specific IP address. I have an IP address that once a week generates a LOT of firewall traffic and which is causing me to exceed my license. What's the easiest/best way to exclude these events. The firewall logs are being sent to a SYSLOG server that is running a Universal Forwarder that sends all logs to my Indexer. I am assuming I will need to use the PROPS/TRANSFORM files to send these to the NULL Queue, but not sure of the proper stanza's to accomplish this. Anyone done this and can provide a sample or suggest a better way to exclude these events?
Hey
This is done by defining a regex to match the necessary event(s) and send them to nullqueue
Here is a basic example that will drop everything the events that you do not want.
Let suppose you have ip 192.168.10.11
in the event which generate all these firewall logs and you want exclude these events
Then put:
in transforms.conf
[setnull]
REGEX = 192\.168\.10\.11
DEST_KEY = queue
FORMAT = nullQueue
And in props.conf
[your_sourcetype]
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-null = setnull
Let me know if this helps!
This doesn't show the \ but they are there.
Thanks. I will give this a try. One additional question: If I was to use add a second IP address range, i.e. 10.10.0.0/16, how would I do that?
are u able to exclude the IP range.
you can create another stanza with different name i.e. setnull1,setnull2,setnull3,etc
in transforms.conf:
[setnull]
REGEX = 192\.168\.10\.11
DEST_KEY = queue
FORMAT = nullQueue
[setnull1]
REGEX = write_regex_for_second_range_or_ip
DEST_KEY = queue
FORMAT = nullQueue
In props.conf
[your_sourcetype]
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set = setnull,setnull1
This is how you can exclude differenct types of events
you can do that using this link http://www.analyticsmarket.com/freetools/ipregex
enter first ip address and last ip address the tool will generate a regex for you which you can use REGEX =
whatever regex will get that many ip's will get exclude from the events
i hope you understand it!
if you don't understand then just tell me first and last ip i.e. the range i will give you the expression!
let me know if you need anything else.