I am looking into adding our Ironport mail logs into Splunk. I tried out this solution about a year and a half ago and noticed that the Ironport appliances do not retain any logs locally after it is connected up to Splunk. This will remove some functionality of the Ironport Management appliance.
Does anybody know if the newer versions allow the appliances to retain their local logs so we can have reporting in Splunk as well as the appliances? I am afraid to test out the app again and lose mail logs on the appliances.
We've seen the same behavior. If you send mail_logs to Splunk they will not be retained on the Ironport Management appliance.
Any workarounds?
I've not used Ironport in a while, but when I last did this you could add additional log subscriptions, and that's how I added the data to Splunk. How are you configuring the mail logs to reach Splunk?