Getting Data In

How to set default file ownership to admin and get Splunk to read files created by the ciscoftp user?

trevor_dunstan8
Explorer

Hey all,

Long story short, I have a Windows IIS FTP server on a Heavy forwarder that receives logs from Cisco proxy servers  and I am monitoring the FTP folders that contain Cisco proxy logs.

I am having a problem whereby the logs uploaded to the FTP server have an owner of ciscoftp and Splunk is unable to read the files with this owner.

If I set the file owner to administrators, Splunk is able to read and ingest the logs as required.

Splunk is running as a local system account and I have granted "Everyone" full control of the folder for testing purposes but as long as the file owner is set to ciscoftp (a local user account) then Splunk is unable to read the file.

I have another folder full of Cisco ESA logs and the file owner is set to administrator by default and Splunk is able to read these files out of the box.

My issue is two-fold, 1) how to set the file owner to administrators by default and/or 2) how do I get Splunk to read files created by ciscoftp user? At this stage, it looks like I may need a script to set the permissions on the file on a periodic basis, which I don't really want to do.

Has anyone experienced a similar issue? Any help would be awesome.

Thanks,

Trev

Labels (4)
Tags (2)
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...