Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to set default file ownership to admin and get Splunk to read files created by the ciscoftp user?

trevor_dunstan8
Explorer
‎09-22-2020 08:24 PM

Hey all,

Long story short, I have a Windows IIS FTP server on a Heavy forwarder that receives logs from Cisco proxy servers  and I am monitoring the FTP folders that contain Cisco proxy logs.

I am having a problem whereby the logs uploaded to the FTP server have an owner of ciscoftp and Splunk is unable to read the files with this owner.

If I set the file owner to administrators, Splunk is able to read and ingest the logs as required.

Splunk is running as a local system account and I have granted "Everyone" full control of the folder for testing purposes but as long as the file owner is set to ciscoftp (a local user account) then Splunk is unable to read the file.

I have another folder full of Cisco ESA logs and the file owner is set to administrator by default and Splunk is able to read these files out of the box.

My issue is two-fold, 1) how to set the file owner to administrators by default and/or 2) how do I get Splunk to read files created by ciscoftp user? At this stage, it looks like I may need a script to set the permissions on the file on a periodic basis, which I don't really want to do.

Has anyone experienced a similar issue? Any help would be awesome.

Thanks,

Trev

Labels (4)
Tags (2)
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...