Hi,
At the moment we have had number Ironport appliances deployed but their log files being uploaded to FTP server (Sawmill server - Windows based server). How to use Splunk (Linux server) to get the data from that Sawmill?
Thanks
Yes, for the latter option, you can create a new log subscription for any of IronPort's log types and have it sent to Splunk.
For example, on your splunk server, create a user for your ironport system to use when dropping the files off. Create a SCP log subscription on your ironport system that sends to your splunk server. You will be provided with a key to use for your splunk account to authenticate with, this should be added to your /home/username/.ssh/authorized_keys file. Then, configure an input in splunk to monitor the directory where you told ironport to stick the files. Of course, there are some assumptions for this to work, like the fact that you've got ssh available, but that's it in a nutshell for one possibility.
Sawmill seems to be another for-profit tool that both consumes log data and provides some kinds of reporting features. It's not surprising that getting data OUT of such systems isn't the top priority of companies like either Splunk or Flowerfire, since companies increase their perceived value by you keeping your data (and your focus) inside their system. We have our output methods in our docs but they may not leap out at you.
For our part, the exit paths you can use for data you send to Splunk are:
If you need to get data from Sawmill into Splunk, it seems you'll need to ask the Sawmill folks how you can get data out of it, because I can't find it in their docs.
You have other options:
I prefer the latter, because it decouples the solutions and makes your overall architecture less brittle.