hi all,our security system can not send report via syslog,but can send it via email.
I want to use splunk to monitor the report from email and generate the dashboard in splunk.
How can I convert mailbox or maildir to splunk ?
Thank you !
One approach I like is using procmail. A fairly simple procmail recipe can write each message into its own file in a given directory. From there, configure Splunk to read files from said directory as a "sinkhole" style input - meaning Splunk deletes the file after indexing it.
A .procmailrc that does this looks something like this:
* Subject: security system alert.*
Each message then gets written -- headers and all -- into its own file in /home/foo/securityalerts. From there, it's pretty easy to let Splunk ingest that.
The easiest thing would probably be to setup some kind of scripted input that checks if any new mails have arrived, checks the mailbox/maildir structure and extracts the relevant parts of any new email before finally outputting it back to Splunk.