The logs sources push logs through SFTP but they are not readable or kind of logs are in encrypted form when received by forwarder.
How can change the logs to readable form when they are received by forwarder.
suggestion appreciated.
Make sure you're sending logs to port 22 (sshd daemon), not to splunk forwarder directly. Splunk doesn't support SSH/SCP/SFTP natively. You have to save logs on the hard disk and point the forwarder to the folder where they are stored to read them.
thanks for the answer,
I need to push logs from a IAM ( Identity and access mgmt) server ( linux type) via SFTP since pushing logs via syslog method from individual logs sources is not feasible for my requirement. moreover the logs stored on the IAM are encrypted or non-readable form, so when they reach heavy forwarder i need to make sure it is converted in readable form
Could you please explain "Make sure you're sending logs to port 22 (sshd daemon), not to splunk forwarder directly. Splunk doesn't support SSH/SCP/SFTP natively."
is SSH on the original logs source device or on IAM server in my case?
thanks.
OK, so the logs are already encrypted/notreadable before they are pushed? You've wrote above the logs have txt extension. You have to check the IAM vendor's documentation how to make logs readable.
Does this diagram reflect your situation, are the logs encrypted/nonreadable from the beginning and you try to use Splunk to decode them?
[IAM (encrypted, .txt-extension)] -> via FTPS -> [Splunk forwarder (encrypted, .txt-extension)]
Where/what are the logs from? What is the file extension?
logs from centralize server , logs stored on this server in txt ext