All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk for IronPort

vistasyslog
New Member
‎01-10-2013 01:07 PM

Hi,

How do I send logs in real time from my IronPort working with E-mail Security Module ?

Thanks

0 Karma
Reply

jones4bob
Explorer
‎01-11-2013 12:33 PM

If you find it acceptable to not be completely real time, I would recommend setting up log subscriptions and opting to forward them off to splunk via SCP. When you create this log subscription (System Administration->Log subscriptions) Ironport will supply you with a key that you can copy/paste into the .authorized_keys file on your splunk server for the user you want ironport to use to drop off the log files.

If you don't need to keep the log files that ironport drops off, since the web access logs are probably the most commonly indexed ones and can be a bit heavy, also consider using batch inputs with a move_policy=sinkhole so that the files that are dropped off get deleted after indexing, which can save you disk space issues in the long run.

Ironport can also do regular syslog forwards but not on all of the log files. The CLI audit ones can, but not the most commonly used log files. I have not read the linked doc from sdaniels yet, but wanted to throw a couple pennies in since this is the data I'm most familiar with. Hope you can make use of it.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎01-10-2013 01:30 PM

You need to download this add-on and follow the README file instructions.

http://splunk-base.splunk.com/apps/22305/splunk-for-cisco-ironport-email-security-appliance

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎01-11-2013 12:00 PM

Extract that archive to the /etc/apps directory. Restart Splunk.

0 Karma
Reply

vistasyslog
New Member
‎01-11-2013 11:58 AM

Thanks.
I downloaded the addon as a .rar file.
How do I install that onto Splunk ?
README file doesn't tells that.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎01-11-2013 11:26 AM

That's more of a Cisco specific question, however this might help. If not, I'd suggest looking at their docs.

http://splunk-base.splunk.com/answers/12790/details-on-how-to-configure-ironport-for-e-mails-to-log-...

0 Karma
Reply

vistasyslog
New Member
‎01-11-2013 11:04 AM

Thanks for the link.
I read through it.
My question now is, how do I point the IronPort to send data to Splunk ?

Thanks
Ansh

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...