minIO as frozen logs storage for Splunk

harras · ‎12-01-2023

How to store logs in minIO (on-premises) from Splunk.
I created bucket named splunk. I successfully mc cp test.txt s3/splunk-bucket but splunk can't loads files into bucket.

My indexes.conf file:

[smartstore]
homePath = $SPLUNK_DB/smartstoredb/db
coldPath = $SPLUNK_DB/smartstoredb/colddb
thawedPath = $SPLUNK_DB/smartstoredb/thaweddb
remotePath = volume:s3

[volume:s3]
storageType = remote
path = s3://splunk
remote.s3.access_key = minioadmin
remote.s3.secret_key = minioadmin
remote.s3.supports_versioning = false
remote.s3.endpoint = http://10.10.10.1:9000

minIO config.json

config.json {
"version": "10",
"aliases": {
"gcs": {
"url": "https://storage.googleapis.com",
"accessKey": "YOUR-ACCESS-KEY-HERE",
"secretKey": "YOUR-SECRET-KEY-HERE",
"api": "S3v2",
"path": "dns"
},
"local": {
"url": "http://10.10.10.1:9000",
"accessKey": "minioadmin",
"secretKey": "minioadmin",
"api": "s3v4",
"path": "auto"
},
"play": {
"url": "http://10.10.10.1:9000",
"accessKey": "minioadmin",
"secretKey": "minioadmin",
"api": "S3v4",
"path": "auto"
},
"s3": {
"url": "http://10.10.10.1:9000",
"accessKey": "minioadmin",
"secretKey": "minioadmin",
"api": "s3v4",
"path": "auto"
}
}
}

ps: I have 3 indexers and cluster master

minIO as frozen logs storage for Splunk

deployer

distributed search

indexer

indexer clustering

Linux

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?