Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can Splunk be used to log Jabber instant messages

osoares4
Explorer
‎11-18-2021 01:40 PM

I'm responsible for a Cisco IM & Presence system.  It can support logging of messages to an external SQL database or a 3rd party compliance server (like Verba).

I'm not very familiar with Splunk and its suite of products.  I'm being asked if Splunk can be used to log Jabber instant messages but I'm not sure it can be used in that capacity. 

Based on Cisco's IM compliance documentation:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/im_compliance/12_5_1/cup0_b_im-...

it seems like Splunk can be used to view messages in the SQL database being used to archive messages.  Other than that, I've haven't seen any documentation showing that Splunk can be used to view or store Cisco IM & Presence instant messages between Jabber clients.

Has anyone had any experience trying to use Splunk to access Cisco IMP Jabber messages?  If so, do you have any experience or documentation that you could share?

Thanks,

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-19-2021 10:26 AM

Well, almost.

With dbconnect you can execute query to produce data to ingest into splunk's index. If you're able to produce a query/stored procedure that you can call to obtain decrypted messages while still having them in encrypted state in the tables, then you could do it that way.

If you can't do it this way then you're limited to storing the messages unencrypted in database and pulling them "raw" into index.

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-18-2021 09:18 PM

It seems that the only storage solution Cisco supports is a relational database server.

So you can either use dbconnect to pull events from the database as @johnhuang mentioned or write own modular input. In any case you'll have to have them unencrypted in splunk (with dbconnect you also need them unencrypted in intermediate DB; with modular input you could decrypt them on the fly)

Reply
Solved! Jump to solution

osoares4
Explorer
‎11-19-2021 08:10 AM

Just to make sure I understand, if we use dbconnect to pull the data out of the SQL database and import it into Splunk, then we can't encrypt the IMs in the database because dbconnect cannot decrypt them? 

If we wanted to encrypt the IMs being stored in the SQL database, then we need to create modular input to access the data, decrypt it and import it into Splunk.  

Is that correct?

Thank you.  I appreciate the good feedback that I've received.

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-19-2021 10:26 AM

Well, almost.

With dbconnect you can execute query to produce data to ingest into splunk's index. If you're able to produce a query/stored procedure that you can call to obtain decrypted messages while still having them in encrypted state in the tables, then you could do it that way.

If you can't do it this way then you're limited to storing the messages unencrypted in database and pulling them "raw" into index.

Reply
Solved! Jump to solution

osoares4
Explorer
‎11-29-2021 02:19 PM

Thank you for the additional feedback.  It's helped quite a bit.

0 Karma
Reply
Solved! Jump to solution

johnhuang
Motivator
‎11-18-2021 04:00 PM

You may have to use the SQL server for staging since Cisco Message Archiver only support exporting to SQL. Use Splunk DB Connect to grab the data from SQL.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...