All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Symantec Web Security Service App for Splunk Log Files

pjohnson1
Path Finder
‎05-15-2020 03:01 AM

We would like to keep a copy of the log files before they get indexed for long term retention which gets downloaded via the API.

inputs.conf 

[scwss-poll]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole

[batch://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole

Maybe something like this?

[scwss-poll]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll

[monitor://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll

[monitor://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PavelP
Motivator
‎05-15-2020 04:01 AM

Hello @pjohnson1

yes this will keep zip files in $SPLUNK_HOME/var/spool/splunk, be aware that depending of the log volume the HD space can be fast filled up. It is better to move zip files from the spool directory after indexing somewhere else.

P.S. BTW, if you had issues with WSS this week, like not possible to create WSS input in splunk or logs are coming empty - it is not your fault - it was confirmed by Broadcom support, even if Broadcom status page doesn't mention it: https://wss.status.broadcom.com/

View solution in original post

Reply
Solved! Jump to solution
Solution

PavelP
Motivator
‎05-15-2020 04:01 AM

Hello @pjohnson1

yes this will keep zip files in $SPLUNK_HOME/var/spool/splunk, be aware that depending of the log volume the HD space can be fast filled up. It is better to move zip files from the spool directory after indexing somewhere else.

P.S. BTW, if you had issues with WSS this week, like not possible to create WSS input in splunk or logs are coming empty - it is not your fault - it was confirmed by Broadcom support, even if Broadcom status page doesn't mention it: https://wss.status.broadcom.com/

Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...