Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how can I convert mailbox or maildir to splunk ?

perlish
Communicator
‎10-06-2012 11:29 PM

hi all,our security system can not send report via syslog,but can send it via email.
I want to use splunk to monitor the report from email and generate the dashboard in splunk.
How can I convert mailbox or maildir to splunk ?
Thank you !

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎11-11-2012 07:17 AM

Were you able to solve your problem with either of these answers? Any news or update on your progress?

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎10-07-2012 08:28 AM

One approach I like is using procmail. A fairly simple procmail recipe can write each message into its own file in a given directory. From there, configure Splunk to read files from said directory as a "sinkhole" style input - meaning Splunk deletes the file after indexing it.

A .procmailrc that does this looks something like this:

LOGFILE=$HOME/.procmail.log
VERBOSE=yes

:0
* Subject: security system alert.*
/home/foo/securityalerts

Each message then gets written -- headers and all -- into its own file in /home/foo/securityalerts. From there, it's pretty easy to let Splunk ingest that.

Then to configure Splunk:

(inputs.conf)

[batch:///home/foo/securityalerts]
move_policy = sinkhole
whitelist = /msg\..*$
crcSalt = <SOURCE>
sourcetype = securityalerts

(props.conf)

[securityalerts]
SHOULD_LINEMERGE = FALSE
LINE_BREAKER = 12345678900987654321qwertyuiopasdfghjkllkjhgfdsapoiuytrewq
TIME_PREFIX = ^Date:
Reply

Ayn
Legend
‎10-07-2012 12:58 AM

The easiest thing would probably be to setup some kind of scripted input that checks if any new mails have arrived, checks the mailbox/maildir structure and extracts the relevant parts of any new email before finally outputting it back to Splunk.

http://docs.splunk.com/Documentation/Splunk/5.0/AdvancedDev/ScriptedInputsIntro

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...