How do I enable FTP? (I know how to capture the logs after they are FTP'd to us)
We have devices that cannot have a universal forwarder installed on them. They only have FTP files. We need a way to FTP the files from these devices into our splunk server for processing.
The most common ftpd in Linux is simply the ftpd you get if you run 'apt-get install ftpd' on a debian/ubuntu box. There's nothing wrong with that one. There's also ProFTPD, PureFTPD, vsftpd, etc. What you might want is an FTPD that has its own user management so you don't have to mix users in the FTP server software with those in the underlying operating system. The default ftpd doesn't do this if I recall correctly, but the other ones I listed do.
There is a new splunkbase app called "importutil". It lets you import csv files (or any input) from an http url via the splunk search command line. Also works for ftp. sftp is experimental.
Here is an ftp example. Pulling from the bureau of labor stats:
|importutil ftp ftp://ftp.bls.gov/pub/time.series/ce/ce.data.102.WeeklyEarningsHist | multikv | table series_id, year, period, value, footnote_codes
Here is an example that imports data from the federal reserve economic data website:
|importutil http http://research.stlouisfed.org/fred2/data/PAYEMS.csv | multikv | table DATE, VALUE
The FTP Receiver app is lacking documentation on how to get this app running. Does anyone have any suggestions? I ran this
(index=internal sourcetype=ftpmodular_input) OR (sourcetype=ftp) per the troubleshooting details and received nothing.