topic Re: FTP Server Logs in Getting Data In

FTP Server Logs

Michael_Schyma1 — Fri, 17 Aug 2012 18:25:54 GMT

How would i configure Splunk to input all FTP logs from my Splunk server? Anybody have any suggestions on what they do, or Splunk documenation on this topic. (At this point all of the logs will be sent to the Splunk server via univeral forwarder)

Re: FTP Server Logs

sdaniels — Fri, 17 Aug 2012 19:03:24 GMT

You have a splunk forwarder on the FTP server currently? That is the most straightforward way to monitor any logs on that or any server. Is there an issue or are you just looking for another way?

Re: FTP Server Logs

Ayn — Fri, 17 Aug 2012 20:27:53 GMT

What ftpd are we talking about? Do you have log samples?

Re: FTP Server Logs

yannK — Mon, 20 Aug 2012 03:16:21 GMT

if the logs are in the same server in the folder
/mylog/ftp/ and look like myftp.log (or myftp.log.1 or myftp.log.2.gz etc...)

Collect a sample and index it using the manager, it will help you figure the best sourcetype configuration (linebreak parsing, timestamp detection...)

Then once done create a monitor input on the folder/logfile using the manager or the configuration file.
[monitor:///mylog/ftp/myftp.*]
sourcetype=mysourcetypefortmyftp

If the log files are not on the same server than your splunk indexer, then you can install the universal forwarder as an agent on the box that has the logs (and make sure to define the sourcetype in props.conf on the indexer).
Or an alternative is to use a network mount for the log folder no the splunk indexer.