Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get Splunk to work with Sawmill server?

thinguyen
Engager
‎04-20-2010 03:15 AM

Hi,

At the moment we have had number Ironport appliances deployed but their log files being uploaded to FTP server (Sawmill server - Windows based server). How to use Splunk (Linux server) to get the data from that Sawmill?

Thanks

Tags (2)
Reply

jones4bob
Explorer
‎06-10-2010 09:32 PM

Yes, for the latter option, you can create a new log subscription for any of IronPort's log types and have it sent to Splunk.

For example, on your splunk server, create a user for your ironport system to use when dropping the files off. Create a SCP log subscription on your ironport system that sends to your splunk server. You will be provided with a key to use for your splunk account to authenticate with, this should be added to your /home/username/.ssh/authorized_keys file. Then, configure an input in splunk to monitor the directory where you told ironport to stick the files. Of course, there are some assumptions for this to work, like the fact that you've got ssh available, but that's it in a nutshell for one possibility.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎04-21-2010 05:09 PM

Sawmill seems to be another for-profit tool that both consumes log data and provides some kinds of reporting features. It's not surprising that getting data OUT of such systems isn't the top priority of companies like either Splunk or Flowerfire, since companies increase their perceived value by you keeping your data (and your focus) inside their system. We have our output methods in our docs but they may not leap out at you.

For our part, the exit paths you can use for data you send to Splunk are:

  • Splunk cli search: you can search arbitary datasets and get the log messages on standard out
  • forwarding: at the time data arrives into splunk, you can cause some subset to be forwarded as its raw text over a tcp socket to some non-splunk receiver
  • syslog forwarding: you can ask splunk to transmit events in syslog format, similarly. This has limitations since syslog event format has limitations (no 500 line messages in syslog)
  • exporttool: you can dump splunk index data to a set of flat files containing message text, or to a csv format showing all fields

If you need to get data from Sawmill into Splunk, it seems you'll need to ask the Sawmill folks how you can get data out of it, because I can't find it in their docs.

You have other options:

  • send the data to Splunk first, and have it bounce it to sawmill
  • send the data to both Splunk and Sawmill live

I prefer the latter, because it decouples the solutions and makes your overall architecture less brittle.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...