All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for IronPort

vistasyslog
New Member
‎01-10-2013 01:07 PM

Hi,

How do I send logs in real time from my IronPort working with E-mail Security Module ?

Thanks

0 Karma
Reply

jones4bob
Explorer
‎01-11-2013 12:33 PM

If you find it acceptable to not be completely real time, I would recommend setting up log subscriptions and opting to forward them off to splunk via SCP. When you create this log subscription (System Administration->Log subscriptions) Ironport will supply you with a key that you can copy/paste into the .authorized_keys file on your splunk server for the user you want ironport to use to drop off the log files.

If you don't need to keep the log files that ironport drops off, since the web access logs are probably the most commonly indexed ones and can be a bit heavy, also consider using batch inputs with a move_policy=sinkhole so that the files that are dropped off get deleted after indexing, which can save you disk space issues in the long run.

Ironport can also do regular syslog forwards but not on all of the log files. The CLI audit ones can, but not the most commonly used log files. I have not read the linked doc from sdaniels yet, but wanted to throw a couple pennies in since this is the data I'm most familiar with. Hope you can make use of it.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎01-10-2013 01:30 PM

You need to download this add-on and follow the README file instructions.

http://splunk-base.splunk.com/apps/22305/splunk-for-cisco-ironport-email-security-appliance

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎01-11-2013 12:00 PM

Extract that archive to the /etc/apps directory. Restart Splunk.

0 Karma
Reply

vistasyslog
New Member
‎01-11-2013 11:58 AM

Thanks.
I downloaded the addon as a .rar file.
How do I install that onto Splunk ?
README file doesn't tells that.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎01-11-2013 11:26 AM

That's more of a Cisco specific question, however this might help. If not, I'd suggest looking at their docs.

http://splunk-base.splunk.com/answers/12790/details-on-how-to-configure-ironport-for-e-mails-to-log-...

0 Karma
Reply

vistasyslog
New Member
‎01-11-2013 11:04 AM

Thanks for the link.
I read through it.
My question now is, how do I point the IronPort to send data to Splunk ?

Thanks
Ansh

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...