Configure monitor inputs for the Splunk Add-on for Cisco ESA
To configure the Splunk platform to monitor the Cisco ESA log files, you can use either Splunk Web to create the monitor inputs or configure inputs.conf
directly.
Configure Monitoring through Splunk Web
Configure a file monitoring input on your data collection node for the Cisco ESA log files.
- Log into Splunk Web.
- Select Settings > Data inputs > Files & directories.
- Click New.
- Click Browse next to the File or Directory field.
- Navigate to the log file generated by the Cisco ESA server and click Next.
- For the Source type, click Select. Enter your Cisco log type.
- "cisco:esa:authentication"
- "cisco:esa:textmail
- "cisco:esa:http"
- "cisco:esa:amp"
- Click Review.
- After you review the information, click Submit.
Configure inputs.conf
You can create an inputs.conf
file and configure the monitor input in this file instead of using Splunk Web.
- Using a text editor, create a file named
inputs.conf
in the local folder of the add-on:$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-esa/local
on Unix based systems.%SPLUNK_HOME%\etc\apps\Splunk_TA_cisco-esa\local
on Windows systems.
- Add the following stanza and lines, depending on the type of logs you are collecting.
For text mail logs:[monitor://<Cisco_Ironport_LOG_PATH>\mail.@20130712T172736.s] sourcetype = cisco:esa:textmail
For HTTP logs:
[monitor://<Cisco_Ironport_LOG_PATH>\gui.@20130302T122618.s] sourcetype = cisco:esa:http
For authentication logs:
[monitor://<Cisco_Ironport_LOG_PATH>\authentication.@20130302T122552.s] sourcetype = cisco:esa:authentication
For amp logs:
[monitor://<Cisco_Ironport_LOG_PATH>\amp.@20180103T132842.s] sourcetype = cisco:esa:amp
- Save the file.
- Restart the Splunk platform in order for the new input to take effect.
PREVIOUS Configure Cisco ESA to send logs to Splunk Enterprise for the Splunk Add-on for Cisco ESA |
NEXT Collect Syslog data using Splunk Connect for Syslog |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!