All Apps and Add-ons

IMAP Mailbox: Is cloning the TA the only way to monitor several mailboxes?

greich
Communicator

The mailbox is part of the TA config. Is cloning the TA really the only way to monitor several mailboxes, or am I missing something?

0 Karma
1 Solution

pbalsley
Path Finder

Currently getting the mail per mailbox requires one imap.conf file. You do not need to clone the app exactly, but you could deploy the TA for different mailboxes.

View solution in original post

0 Karma

pbalsley
Path Finder

Currently getting the mail per mailbox requires one imap.conf file. You do not need to clone the app exactly, but you could deploy the TA for different mailboxes.

0 Karma

ragingwire
Path Finder

Just to be more clear. The app itself can only call one IMAP account to login and index email. But since this app supports a distributed design, ie, it has a TA you can deploy. There is no reason you could not deploy multiple TAs each configured for a different IMAP mail account.

You can find the TA in the main IMAP Mailbox app directory IMAPmailbox/appserver/addons/IMAPmailbox-TA/

Copy this directory to the main apps directory /opt/splunk/etc/apps/...
Make multiple copies of the TA for each of your accounts.
Then in each TA directory create a local/imap.conf file for each of your email accounts. You are welcome to change their indexes too or other attributes if you wish.

Restart Splunk and check to see if their are indexing.

thanks

0 Karma

brigancc
Explorer

There's more to this unfortunately. You have to rename the python scripts because if you have the TA installed on the same box as the App, you'll have a conflict when Splunk expands the path.

12-01-2015 07:51:46.785 +0000 WARN  IConfCache - Stanza has an expansion [script:///opt/splunk/etc/apps/IMAPmailbox-TA/bin/get_imap_email.py], ignoring alternate expansion [script:///opt/splunk/etc/apps/IMAPmailbox/bin/get_imap_email.py] in inputs.conf

So what you end up with is the input.conf from the TA overriding the inputs.conf from the app. You effectively stop monitoring one IMAP account and start monitoring the other.

In the TA, I believe you will have to rename the get_imap_email.py to something like get_imap_email2.py and update both inputs.conf in default and local directories.

I had to stop restarting Splunk every 5-10 minutes so we could get some work done. I'll try this again another dy and post my findings.

0 Karma

greich
Communicator

cloning the TA works as you obtain a different path

0 Karma

brigancc
Explorer

Yes, perhaps, but doing what ragingwire described is not complete. You can't just copy the TA to /opt/splunk/etc/apps and update imap.conf. The paths are different:

/opt/splunk/etc/apps/IMAPmailbox/bin/get_imap_email.py
/opt/splunk/etc/apps/IMAPmailbox-TA/bin/get_imap_email.py

But Splunk doesn't seem to care because in inputs.conf, the name of the script is the same:

[script://./bin/get_imap_email.py]

Even though it expands to a different path, when you look at the "Data Inputs" page in Splunk, you'll only see ONE get_imap_email.py enabled and working.

tralston
New Member

Any updates with this? I'd like to do the same thing, that is monitor multiple IMAP accounts from the same box. Distributing is my last resort.

0 Karma

ragingwire
Path Finder

You are right if the TAs are on the same box as another IMAP TA or main app the files would conflict. If you only have one box you would need to rename everything.

The TA was meant to be installed in a distributed design. So if you had other forwarders you could put one on each per mail account. Then you are not renaming everything.

0 Karma

brigancc
Explorer

This almost worked. There seems to be a problem with inputs.conf and the name of the script. After copying the TA to /opt/splunk/etc/apps and making the changes you described, Splunk logged the following:

12-01-2015 07:51:46.785 +0000 WARN IConfCache - Stanza has an expansion [script:///opt/splunk/etc/apps/IMAPmailbox-TA/bin/get_imap_email.py], ignoring alternate expansion [script:///opt/splunk/etc/apps/IMAPmailbox/bin/get_imap_email.py] in inputs.conf

When you look at the "Data Inputs" in Splunk, the input for the IMAPmailbox app was replaced by the "new" input for IMAPmailbox-TA.

So it's more involved than just copying the TA to /opt/splunk/etc/apps. I think you would also have to rename the python script to get_imap_email2.py and update the inputs.conf files in default and local before it will work.

I had to stop playing around as I was restarting Splunk every 5-10 minutes... will try again later and post my findings.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...