Getting Data In

How to edit props.conf to collect gz.done files from Blue Coat's proxy FTP server?

daniel_augustyn
Contributor

How to edit props.conf to start collecting gz.done files from Blue Coat's proxy FTP server? Reporter change .gz files to gz.done files. What should I do to start pushing these files via universal forwarder to the indexers.

0 Karma
1 Solution

daniel_augustyn
Contributor

I can't find gzip2 file in the bin folder.

View solution in original post

0 Karma

daniel_augustyn
Contributor

I can't find gzip2 file in the bin folder.

0 Karma

MuS
Legend

Sorry, my Windows not-knowledge got me here. There is no bzip2 shipped with the Windows UF.
I found some powershell command which could do it, but that looks complicated http://stackoverflow.com/questions/17546016/how-can-you-zip-or-unzip-from-the-command-prompt-using-o... other option would be install gzip2 or bzip2 on the UF and use the unarchive_cmd= gzip -d or unarchive_cmd= bzip -d in props.conf

Sorry if this does not answer your question or is helpful.....

0 Karma

MuS
Legend

Hi daniel_augustyn,

on your universal forwarder, check the inputs.conf currently monitoring the path holding the .gz files. Check if there is a whitelist= or a blacklist for this stanza and modify it according to your needs.
See the docs on whitelist or blacklist http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Inputsconf

Hope this helps ...

cheers, MuS

daniel_augustyn
Contributor

How can I start collecting "gz.done" files?

0 Karma

MuS
Legend

check the inputs.conf and verify if those files are blacklisted or not. Also check if there is a whitelist; if so add them to the whitelist regex and they will be monitored (Some times you need to restart the universal forwarder)

0 Karma

daniel_augustyn
Contributor

That's what I have:

[monitor://E:\Server1\BCT-GW-SG\*.done]
sourcetype = bluecoat:proxysg:access:file
disabled = false
index=proxy
0 Karma

daniel_augustyn
Contributor

And it doesn't collect these files.

0 Karma

MuS
Legend

Is the forwarder process able to read those files? permission issue? any errors related to this monitor in splunkd.log?

0 Karma

daniel_augustyn
Contributor

I am just fine with reading .gz files, I can't read gz.done files from the same folder.

0 Karma

daniel_augustyn
Contributor
0 Karma

MuS
Legend

My bad sorry thought this was no longer needed.....yes, try this option unarchive_cmd= in props.conf to tell Splunk how to handle the gz.done file

0 Karma

daniel_augustyn
Contributor

would that work on the Windows box?

0 Karma

MuS
Legend

Well you should find bzip2 in the Splunk bin directory so you should be able to run it.

0 Karma

MuS
Legend

Okay, I must admit my not-knowledge of Windows got me here 🙂
The universal forwarder on Windows does not come with bzip2 and therefore you cannot just use the unarchive_cmd = bzip2 -d option.
I found some powershell command which could do such a thing, but it looks complicated http://stackoverflow.com/questions/17546016/how-can-you-zip-or-unzip-from-the-command-prompt-using-o...
Other option, install gzip or zip on this forwarder and use it in the unarchive_cmd option.

0 Karma

daniel_augustyn
Contributor

I can't find bzip2 in the bin directory, is there a way to threat done like gz files.

0 Karma

daniel_augustyn
Contributor

Would you mind sharing stanza for it?

0 Karma

daniel_augustyn
Contributor

Can you let me know what the stanza should be?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...