hi all,our security system can not send report via syslog,but can send it via email.
I want to use splunk to monitor the report from email and generate the dashboard in splunk.
How can I convert mailbox or maildir to splunk ?
Thank you !
Were you able to solve your problem with either of these answers? Any news or update on your progress?
One approach I like is using procmail. A fairly simple procmail recipe can write each message into its own file in a given directory. From there, configure Splunk to read files from said directory as a "sinkhole" style input - meaning Splunk deletes the file after indexing it.
A .procmailrc
that does this looks something like this:
LOGFILE=$HOME/.procmail.log
VERBOSE=yes
:0
* Subject: security system alert.*
/home/foo/securityalerts
Each message then gets written -- headers and all -- into its own file in /home/foo/securityalerts
. From there, it's pretty easy to let Splunk ingest that.
Then to configure Splunk:
(inputs.conf)
[batch:///home/foo/securityalerts]
move_policy = sinkhole
whitelist = /msg\..*$
crcSalt = <SOURCE>
sourcetype = securityalerts
(props.conf)
[securityalerts]
SHOULD_LINEMERGE = FALSE
LINE_BREAKER = 12345678900987654321qwertyuiopasdfghjkllkjhgfdsapoiuytrewq
TIME_PREFIX = ^Date:
The easiest thing would probably be to setup some kind of scripted input that checks if any new mails have arrived, checks the mailbox/maildir structure and extracts the relevant parts of any new email before finally outputting it back to Splunk.
http://docs.splunk.com/Documentation/Splunk/5.0/AdvancedDev/ScriptedInputsIntro