Do not index - send data to null queue from specific IPs
There is a use case to exclude logs generated using white security scans. A list of scanner IPS have been provided.
Solution
Create props.conf
[elasticbeanstalk-access_log-too_small]
TRANSFORMS-null-whitehat= wht-null-addr1, wht-null-addr2
Create transforms.conf
##This transform nullqueues event containing ip addresses in CIDR range 65.122.153.0/27
[wht-null-addr1]
REGEX = 65\.122\.153\.[012]\d?|65\.122\.153\.3[01]|65\.122\.153\.\d\s
DEST_KEY = queue
FORMAT = nullQueue
##This transform nullqueues event containing ip addresses
##23.56.192.166 or 10.11.254.21 or 10.11.153.45
[wht-null-addr2]
REGEX = 23\.56\.192\.166|10\.11\.254\.21|10\.11\.153\.45
DEST_KEY = queue
FORMAT = nullQueue
Place these files in /etc/apps/search directory in Splunk indexers.
Restart Splunk indexer
Solution
Create props.conf
[elasticbeanstalk-access_log-too_small]
TRANSFORMS-null-whitehat= wht-null-addr1, wht-null-addr2
Create transforms.conf
##This transform nullqueues event containing ip addresses in CIDR range 65.122.153.0/27
[wht-null-addr1]
REGEX = 65\.122\.153\.[012]\d?|65\.122\.153\.3[01]|65\.122\.153\.\d\s
DEST_KEY = queue
FORMAT = nullQueue
##This transform nullqueues event containing ip addresses
##23.56.192.166 or 10.11.254.21 or 10.11.153.45
[wht-null-addr2]
REGEX = 23\.56\.192\.166|10\.11\.254\.21|10\.11\.153\.45
DEST_KEY = queue
FORMAT = nullQueue
Place these files in /etc/apps/search directory in Splunk indexers.
Restart Splunk indexer
posted by Jayanthi Krishnamurthy @ 1:12 PM
0 Comments
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home