Proofpoint On Demand Email Security Add-on, need t...

Log_wrangler · ‎02-08-2019

I have the Proof point On Demand Email Security Add-on configured on a HF and it is sending logs to the indexers to be consumed by splunk.

However I have another use-case where I need to get a copy of the logs into s3 for another application to use.

I thought I would ask if anyone in the community has worked with the add-on long enough to know how I could setup a second input using the ProofPoint Web-socket/API key to send the logs to a local file on the forwarder. From there I need to send the logs to s3, which I can do with scripted aws cli commands.

I know this is not a typical use-case but I thought I would ask.

Thank you

jkat54 · ‎02-10-2019

I have a couple ideas for you.

Is this a use case for the outputlookup command? You can drop the data to disk easily with that command, but it will be csv.

(You could just send _raw to the csv and have 1 column)

You can crack open the python code and hack in a drop to disk feature :-).

Again just ideas/thoughts. I have 0 experience with the app.

Log_wrangler · ‎02-12-2019

Thank you, I appreciate the reply. I tried deciphering the .py scripts but there are too many intermingled, no luck so far.

Proofpoint On Demand Email Security Add-on, need to store a copy of email logs to a local file

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases