Getting Data In

How to set default file ownership to admin and get Splunk to read files created by the ciscoftp user?

trevor_dunstan8
Explorer

Hey all,

Long story short, I have a Windows IIS FTP server on a Heavy forwarder that receives logs from Cisco proxy servers  and I am monitoring the FTP folders that contain Cisco proxy logs.

I am having a problem whereby the logs uploaded to the FTP server have an owner of ciscoftp and Splunk is unable to read the files with this owner.

If I set the file owner to administrators, Splunk is able to read and ingest the logs as required.

Splunk is running as a local system account and I have granted "Everyone" full control of the folder for testing purposes but as long as the file owner is set to ciscoftp (a local user account) then Splunk is unable to read the file.

I have another folder full of Cisco ESA logs and the file owner is set to administrator by default and Splunk is able to read these files out of the box.

My issue is two-fold, 1) how to set the file owner to administrators by default and/or 2) how do I get Splunk to read files created by ciscoftp user? At this stage, it looks like I may need a script to set the permissions on the file on a periodic basis, which I don't really want to do.

Has anyone experienced a similar issue? Any help would be awesome.

Thanks,

Trev

Labels (4)
Tags (2)
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!