how can I convert mailbox or maildir to splunk ?

perlish · ‎10-06-2012

hi all,our security system can not send report via syslog,but can send it via email.
I want to use splunk to monitor the report from email and generate the dashboard in splunk.
How can I convert mailbox or maildir to splunk ?
Thank you !

dwaddle · ‎11-11-2012

Were you able to solve your problem with either of these answers? Any news or update on your progress?

dwaddle · ‎10-07-2012

One approach I like is using procmail. A fairly simple procmail recipe can write each message into its own file in a given directory. From there, configure Splunk to read files from said directory as a "sinkhole" style input - meaning Splunk deletes the file after indexing it.

A .procmailrc that does this looks something like this:

LOGFILE=$HOME/.procmail.log
VERBOSE=yes

:0
* Subject: security system alert.*
/home/foo/securityalerts

Each message then gets written -- headers and all -- into its own file in /home/foo/securityalerts. From there, it's pretty easy to let Splunk ingest that.

Then to configure Splunk:

(inputs.conf)

[batch:///home/foo/securityalerts]
move_policy = sinkhole
whitelist = /msg\..*$
crcSalt = <SOURCE>
sourcetype = securityalerts

(props.conf)

[securityalerts]
SHOULD_LINEMERGE = FALSE
LINE_BREAKER = 12345678900987654321qwertyuiopasdfghjkllkjhgfdsapoiuytrewq
TIME_PREFIX = ^Date:

Ayn · ‎10-07-2012

The easiest thing would probably be to setup some kind of scripted input that checks if any new mails have arrived, checks the mailbox/maildir structure and extracts the relevant parts of any new email before finally outputting it back to Splunk.

http://docs.splunk.com/Documentation/Splunk/5.0/AdvancedDev/ScriptedInputsIntro

how can I convert mailbox or maildir to splunk ?

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)