Getting Data In

Can Splunk add data from a local mdb file?

mlwinzenburg
New Member

I have installed an open source Syslog server on a Windows PC, at home. I am sending it logs from my Netgear FVS114 home firewall. Now I'd like to use Splunk to look at the Syslog data, which appears to be stored in an MS Access database ".mdb" file.

Can Splunk be configured to read this file natively? Splunk is installed on the same PC as the Syslog.

Is there an add-on that will allow Splunk to read the .mdb file?

I do not know scripting so that's not a good direction for me unless it is something already written.

Thanks

M

Tags (1)
0 Karma

Drainy
Champion

I'm not aware of such a thing, others may, but to me this seems a little backwards anyway. Do you use the local syslog server for anything else? or the mdb file for anything else?

If not, just configure Splunk to read the syslog directly via a UDP/TCP port.
http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports?r=searchtip

Generally speaking as a quick how-to, just go to manager, data, add data and add UDP 514, this is the default protocol/port used by most syslog systems.
Your data will then start to be consumed by Splunk.

Drainy
Champion

Bear in mind also that the best practice is geared towards larger, SMB/Enterprise customers who would lose a heck of a lot of data by using UDP as their only method for getting data into Splunk 🙂 Also what Ayn says.

0 Karma

Ayn
Legend

It IS a good idea to write the data to a file, but that file will of course have to be readable by Splunk. Splunk reads pretty much any file in plain text format right away. It does not, however, generally read data that is in any kind of binary format, which is the case with MDB files (aka MS Access databases).

mlwinzenburg
New Member

Well, I guess I'm just following Splunk's advice to write the data to a file first.

http://wiki.splunk.com/Deploy:BestPracticeForConfiguringSyslogInput

"Here are the recommended best practices for configuring your syslog:

  1. Write to a file and configure Splunk to monitor that file

The best practice is to write to a file that Splunk is monitoring. This accounts for the scenario of data loss if Splunk is down. This also allows you to add the data again if you have to clean your index for some reason."

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...