Hey guys, fairly new Splunk admin here. I've a question about unauthorized forwarders.
Is there anything to prevent my indexer from indexing something from a "rogue forwarder"? That is, if someone set up their laptop to forward huge logs to my indexer, will my indexer slurp up those logs? Is there anything built in to prevent this?
This question came up because I'm troubleshooting an issue where Splunk doesn't seem to be indexing events from an external host sending events on port 8089. tcpdump confirms that data is being passed from that host to our indexer, but nothing seems to show up.
Thanks in advance!
... View more