What is the best practice to ingest Cloud Ironport logs to Splunk Cloud without sending them to On-Prem Syslog server?
Hi kiran331
I think you can use the Splunk Add-on for Cisco WSA to ingest Ironport logs. The add-on allows a Splunk software administrator to collect Cisco Web Security Appliance (WSA) access and L4TM log data.
https://splunkbase.splunk.com/app/1747
http://docs.splunk.com/Documentation/AddOns/latest/CiscoWSA/About
Hope this helps. Thanks!
Hunter
Do we need a Heavy Forwarder in cloud? or there is other way to send logs to splunk cloud?
Kiran, based on my knowledge of Splunk Cloud, you'll have to pass them through on on prem Heavy Forwarder or Universal forwarder where you can send data over UDP and/or SCP. Since the forwarders that connect to Splunk Cloud use SSL certs, it's safe to say you'll be unable to do a "direct" input to Splunk Cloud.