Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk to monitor password protected files

avinashreddy539
New Member
‎10-10-2014 12:32 AM

Hi,
I am trying to configure splunk to monitor zip files. All the files inside the zip files are password protected and hence splunk is not able to index the data from those files. Is there a way i can pass password to splunk so that it can index those password protected files. Please help. Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

peter_krammer
Communicator
‎10-10-2014 02:36 AM

You could define a scripted input in splunk which does the following steps:
1. look for new files in a specified directory and do per file the following steps
2. unzip file with password (unzip -P)
3. cat the content to standard output
4. remove extracted files
5. move archive to different location

With this you should be able to index the protected files in splunk.

View solution in original post

Reply
Solved! Jump to solution
Solution

peter_krammer
Communicator
‎10-10-2014 02:36 AM

You could define a scripted input in splunk which does the following steps:
1. look for new files in a specified directory and do per file the following steps
2. unzip file with password (unzip -P)
3. cat the content to standard output
4. remove extracted files
5. move archive to different location

With this you should be able to index the protected files in splunk.

Reply
Solved! Jump to solution

avinashreddy539
New Member
‎10-10-2014 04:47 AM

Hi Peter, Thanks for the reply. Can you please provide more details? Sorry. I am new to splunk. It would be great if you share any document.

0 Karma
Reply
Solved! Jump to solution

peter_krammer
Communicator
‎10-10-2014 05:10 AM

I can only point you to how to configure scripted inputs, but you would have to write the script (unix or windows) yourself. A scripted input works by splunk executing a script and indizes any output the script generates.

How to configure inputs (generally):
http://docs.splunk.com/Documentation/Splunk/6.1.4/Data/Configureyourinputs

How to scripted input via the config files: (section "Scripted Input")
http://docs.splunk.com/Documentation/Splunk/6.1.4/admin/inputsconf

How to scripted input via the web gui:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Setupcustominputs#Add_a_scripted_input_in_Sp...

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎10-10-2014 02:02 AM

I don't believe we have support for zip 'encryption' in the splunk archive handling.

Obviously you could provide them to splunk unpacked, or repacked in non-password zip files for a limited time.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...