All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Symantec Web Security Service App for Splunk Log Files

pjohnson1
Path Finder
‎05-15-2020 03:01 AM

We would like to keep a copy of the log files before they get indexed for long term retention which gets downloaded via the API.

inputs.conf 

[scwss-poll]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole

[batch://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole

Maybe something like this?

[scwss-poll]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll

[monitor://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll

[monitor://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PavelP
Motivator
‎05-15-2020 04:01 AM

Hello @pjohnson1

yes this will keep zip files in $SPLUNK_HOME/var/spool/splunk, be aware that depending of the log volume the HD space can be fast filled up. It is better to move zip files from the spool directory after indexing somewhere else.

P.S. BTW, if you had issues with WSS this week, like not possible to create WSS input in splunk or logs are coming empty - it is not your fault - it was confirmed by Broadcom support, even if Broadcom status page doesn't mention it: https://wss.status.broadcom.com/

View solution in original post

Reply
Solved! Jump to solution
Solution

PavelP
Motivator
‎05-15-2020 04:01 AM

Hello @pjohnson1

yes this will keep zip files in $SPLUNK_HOME/var/spool/splunk, be aware that depending of the log volume the HD space can be fast filled up. It is better to move zip files from the spool directory after indexing somewhere else.

P.S. BTW, if you had issues with WSS this week, like not possible to create WSS input in splunk or logs are coming empty - it is not your fault - it was confirmed by Broadcom support, even if Broadcom status page doesn't mention it: https://wss.status.broadcom.com/

Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...