Getting Data In

How to get Splunk to work with Sawmill server?

thinguyen
Engager

Hi,

At the moment we have had number Ironport appliances deployed but their log files being uploaded to FTP server (Sawmill server - Windows based server). How to use Splunk (Linux server) to get the data from that Sawmill?

Thanks

Tags (2)

jones4bob
Explorer

Yes, for the latter option, you can create a new log subscription for any of IronPort's log types and have it sent to Splunk.

For example, on your splunk server, create a user for your ironport system to use when dropping the files off. Create a SCP log subscription on your ironport system that sends to your splunk server. You will be provided with a key to use for your splunk account to authenticate with, this should be added to your /home/username/.ssh/authorized_keys file. Then, configure an input in splunk to monitor the directory where you told ironport to stick the files. Of course, there are some assumptions for this to work, like the fact that you've got ssh available, but that's it in a nutshell for one possibility.

0 Karma

jrodman
Splunk Employee
Splunk Employee

Sawmill seems to be another for-profit tool that both consumes log data and provides some kinds of reporting features. It's not surprising that getting data OUT of such systems isn't the top priority of companies like either Splunk or Flowerfire, since companies increase their perceived value by you keeping your data (and your focus) inside their system. We have our output methods in our docs but they may not leap out at you.

For our part, the exit paths you can use for data you send to Splunk are:

  • Splunk cli search: you can search arbitary datasets and get the log messages on standard out
  • forwarding: at the time data arrives into splunk, you can cause some subset to be forwarded as its raw text over a tcp socket to some non-splunk receiver
  • syslog forwarding: you can ask splunk to transmit events in syslog format, similarly. This has limitations since syslog event format has limitations (no 500 line messages in syslog)
  • exporttool: you can dump splunk index data to a set of flat files containing message text, or to a csv format showing all fields

If you need to get data from Sawmill into Splunk, it seems you'll need to ask the Sawmill folks how you can get data out of it, because I can't find it in their docs.

You have other options:

  • send the data to Splunk first, and have it bounce it to sawmill
  • send the data to both Splunk and Sawmill live

I prefer the latter, because it decouples the solutions and makes your overall architecture less brittle.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...