Smarter Whitelisting for Splunk Deployment Clients
by Brent McKinney, Senior Splunk Consultant and Team Lead
This blog will showcase how to use external files to manage whitelisting deployment client hosts, as an alternative to including rules directly in serverclass.conf.
The following 2 settings in serverclass.conf can be used to reference an external file that can be used for serverclass filtering. These paths can point to text files, or csv files.
serverclass.conf [<serverclass_name>] whitelist.from_pathname = <pathname> blacklist.from_pathname = <pathname>
This is helpful when naming filtering may not be a simple wildcard (like us* for us hosts) or when you want to allow teams to onboard new hosts without giving direct access to the conf files. This can also be used with the values of the clientName field.
Let’s say we wanted to break out our server classes by country. In this example we have 2 server classes, 1 for hosts in the US, and 1 for hosts in Europe. Notice how we whitelist and blacklist the respective txt files.
splunk/etc/system/local/serverclass.conf: [us_hosts] whitelist.from_pathname = etc/system/whitelist_files/us_hosts.txt blacklist.from_pathname = etc/system/whitelist_files/eu_hosts.txt [eu_hosts] whitelist.from_pathname = etc/system/whitelist_files/eu_hosts.txt blacklist.from_pathname = etc/system/whitelist_files/us_hosts.txt
Within etc/system/whitelist_files we have the 2 txt files containing our whitelist rules:
us_hosts.txt contains the following: us* nixhost1 mysqlserver1 eu_hosts.txt contains the following: eu* nixhost2 mysqlserver2
Going forward, instead of making direct changes to serverclass.conf to add a new host whitelist, we can just add the host filter in the respective txt file.
The relative path to the whitelist file is needed. For example, if the serverclass definition live in an app, rather than etc/system/local, then we would set the us hosts whitelist to the following in serverclass.conf.
[us_hosts] whitelist.from_pathname = etc/apps/<app_name>/whitelist_files/us_hosts.txt blacklist.from_pathname = etc/apps/<app_name>/whitelist_files/eu_hosts.txt
And include the corresponding txt files in the etc/apps/<app_name>/whitelist_files directory.
There you have it – a simple way to manage whitelisting your deployment client hosts. Contact us below if you have questions. Happy Splunking!