All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Symantec Web Security Service App for Splunk Log Files

pjohnson1
Path Finder
‎05-15-2020 03:01 AM

We would like to keep a copy of the log files before they get indexed for long term retention which gets downloaded via the API.

inputs.conf 

[scwss-poll]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole

[batch://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole

Maybe something like this?

[scwss-poll]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll

[monitor://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll

[monitor://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PavelP
Motivator
‎05-15-2020 04:01 AM

Hello @pjohnson1

yes this will keep zip files in $SPLUNK_HOME/var/spool/splunk, be aware that depending of the log volume the HD space can be fast filled up. It is better to move zip files from the spool directory after indexing somewhere else.

P.S. BTW, if you had issues with WSS this week, like not possible to create WSS input in splunk or logs are coming empty - it is not your fault - it was confirmed by Broadcom support, even if Broadcom status page doesn't mention it: https://wss.status.broadcom.com/

View solution in original post

Reply
Solved! Jump to solution
Solution

PavelP
Motivator
‎05-15-2020 04:01 AM

Hello @pjohnson1

yes this will keep zip files in $SPLUNK_HOME/var/spool/splunk, be aware that depending of the log volume the HD space can be fast filled up. It is better to move zip files from the spool directory after indexing somewhere else.

P.S. BTW, if you had issues with WSS this week, like not possible to create WSS input in splunk or logs are coming empty - it is not your fault - it was confirmed by Broadcom support, even if Broadcom status page doesn't mention it: https://wss.status.broadcom.com/

Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top